MediaTicket? Please help!

[pacosaff]

Norton has found this malware but cannot delete. It gives its location as C:\WINDOWS\Downloaded program files\MediaTicketsInstaller.INF. But I can't find it there or anywhere else. Please help me to get rid of this malware which is messing up my computer. Thanks

[Mr_JAk3]

Hello pacosaff and welcome to the Forums


Please post a HijackThis log to here.

• Download HJTInstall.exe to your Desktop.
• Doubleclick HJTInstall.exe to install it.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[pacosaff]

Thanks for your welcome Mr_Jak3 and for your help..

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:30, on 04/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\System32\hserver.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\ICONDESK\IconDesk.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Paul's Repair Kit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipPublisher\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\Jccatch.dll
O2 - BHO: (no name) - {A53F96EB-0452-09AD-2E26-0CC2BD21149C} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Saue] "C:\DOCUME~1\Pacosaff\MYDOCU~1\CROSOF~1.NET\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [Baaobvek] "C:\Program Files\s?stem\r?ndll32.exe"
O4 - HKCU\..\Run: [Spol] http://www.toya.net.pl/~spol/site/index.htm
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] c:\program files\symantec\liveupdate\alunotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\ICONDESK\IconDesk.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196194709687
O20 - Winlogon Notify: urqpnol - urqpnol.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - C:\Program Files\Internet Tracks Washer\washservice.exe
O24 - Desktop Component 0: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 12472 bytes

[Mr_JAk3]

Hi

You're infected.

Have you uninstalled Norton/Symantec?

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[pacosaff]

Thanks for the reply. Should I uninstall Norton?
Here's the ComboFix log:

ComboFix 07-12-02.6 - Pacosaff 2007-12-06 19:21:08.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.138 [GMT 0:00]
Running from: H:\Paul's Repair Kit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Pacosaff\Application Data\dach100.dll
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\WINDOWS\system32\rMa01yy

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-03 08:55 . 2007-12-03 08:56 918,045 --ah----- C:\DH Temp.tmp
2007-12-02 20:36 . 2007-12-02 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a------ C:\WINDOWS\system32\wshom.ocx
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a--c--- C:\WINDOWS\system32\dllcache\wshom.ocx
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 00:27 . 2007-05-29 13:55 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-11-29 00:27 . 2007-05-29 13:55 10,592 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-11-29 00:27 . 2007-05-29 13:55 705 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-11-28 23:56 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-11-28 23:51 . 2007-07-17 12:21 186,256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-11-28 23:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-28 23:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-26 23:58 . 2007-11-26 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-26 23:04 . 2007-11-26 23:04 16 --a------ C:\WINDOWS\system32\coh.cache
2007-11-26 19:42 . 2007-11-29 19:01 <DIR> d-------- C:\Program Files\Norton 360
2007-11-26 19:40 . 2007-12-05 08:57 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-26 19:40 . 2007-12-05 08:57 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-26 19:39 . 2007-12-05 08:57 <DIR> d-------- C:\Program Files\Symantec
2007-11-26 19:39 . 2007-12-02 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 19:38 . 2007-11-30 08:22 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-22 22:41 . 2007-12-06 19:19 <DIR> d-------- C:\Paul's Repair Kit
2007-11-20 08:13 . 2007-11-20 08:13 <DIR> d-------- C:\WINDOWS\system32\re3
2007-11-11 23:21 . 2007-11-11 23:21 <DIR> d-------- C:\Documents and Settings\Pacosaff\Application Data\AquaSoft
2007-11-11 23:19 . 2007-11-11 23:19 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{080C77D8-6A24-4B5E-89CF-240D0E56A59E}
2007-11-11 23:18 . 2007-11-11 23:18 <DIR> d-------- C:\Program Files\AquaSoft
2007-11-06 22:14 . 2007-11-06 22:24 <DIR> d-------- C:\Documents and Settings\Pacosaff\Application Data\MilkShape 3D 1.x.x
2007-11-06 22:13 . 2007-11-06 22:14 <DIR> d-------- C:\Program Files\MilkShape 3D 1.8.2
2007-11-06 08:18 . 2007-11-19 23:50 <DIR> d-------- C:\Program Files\3D-brush-2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 08:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 21:08 --------- d-----w C:\Program Files\PTGui
2007-12-02 20:36 --------- d-----w C:\Program Files\Lavasoft
2007-12-02 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 11:28 20 ----a-w C:\sccfg.sys
2007-12-02 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 10:37 --------- d-----w C:\Program Files\Fake Webcam
2007-12-01 08:49 --------- d-----w C:\Program Files\FlashGet
2007-11-29 00:51 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\uTorrent
2007-11-28 00:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\Symantec
2007-11-17 21:31 --------- d-----w C:\Program Files\GameHouse
2007-11-17 15:08 --------- d-----w C:\Program Files\PopCap Games
2007-11-15 23:45 --------- d-----w C:\Program Files\Ubisoft
2007-11-14 20:37 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\LimeWire
2007-11-05 23:31 --------- d-----w C:\Program Files\Torrent Harvester
2007-11-05 23:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 20:51 --------- d-----w C:\Program Files\SecondLife
2007-10-29 19:03 --------- d-----w C:\Program Files\Pixarra
2007-10-27 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Digital Anarchy
2007-10-20 13:47 --------- d-----w C:\Program Files\Act-3D
2007-10-18 18:13 --------- d-----w C:\Program Files\Dark Egypt
2007-10-14 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-14 19:49 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 19:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-14 09:12 --------- d-----w C:\Program Files\FXhome VisionLab Studio
2007-10-12 08:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\MediaMan
2007-01-11 00:08 0 ----a-w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2006-09-23 14:57 81,920 ----a-w C:\Documents and Settings\Pacosaff\Application Data\ezpinst.exe
2006-09-23 14:57 47,360 ----a-w C:\Documents and Settings\Pacosaff\Application Data\pcouffin.sys
2005-07-02 16:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-10 22:39 88 --sh--r C:\WINDOWS\system32\668E944800.sys
2007-01-10 22:44 3,454 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A53F96EB-0452-09AD-2E26-0CC2BD21149C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Saue"="C:\DOCUME~1\Pacosaff\MYDOCU~1\CROSOF~1.NET\chkdsk.exe" []
"Baaobvek"="C:\Program Files\s?stem\r?ndll32.exe" []
"Spol"="http://www.toya.net.pl/~spol/site/index.htm" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-19 11:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 12:00]
"NvMediaCenter"="RUNDLL32.exe" [2002-08-29 12:00 C:\WINDOWS\system32\rundll32.exe]
"ALUAlert"="c:\program files\symantec\liveupdate\alunotify.exe" [2007-09-12 18:27]

C:\Documents and Settings\Pacosaff\Start Menu\Programs\Startup\
AntiCrash.lnk - C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe [2002-12-17 12:00:44]
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 11:59:30]
ICONDESK.lnk - C:\Program Files\ICONDESK\IconDesk.exe [2001-12-02 22:22:03]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2006-09-29 21:22:37]
Registration-INSDVD.lnk - C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-09-26 12:18:00]
Stickies.lnk - C:\Program Files\stickies\stickies.exe [2003-06-19 20:06:39]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe [2005-12-19 11:59:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-23 15:31:21]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-14 21:16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpnol]
urqpnol.dll

R0 gxc108b;gxc108b;C:\WINDOWS\System32\DRIVERS\gxc108b.sys
R0 gxc108p;gxc108p;C:\WINDOWS\System32\Drivers\gxc108p.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\System32\DRIVERS\sonyhcb.sys
R0 VOBID;VOBID;C:\WINDOWS\System32\DRIVERS\vobid.sys
R1 gcvcd;gcvcd;C:\WINDOWS\System32\drivers\gcvcd.sys
R1 sdpiosys;sdpiosys;C:\WINDOWS\System32\drivers\sdpiosys.sys
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys
R2 aliasdocserver;Alias Documentation Server;"C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf"
R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\System32\DRIVERS\CamthWDM.sys
R2 CatnHat;CatnHat;C:\WINDOWS\System32\drivers\CatnHat.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\System32\DRIVERS\nvcap.sys
R2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\System32\DRIVERS\nvtunep.sys
R2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\System32\DRIVERS\nvtvsnd.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\System32\DRIVERS\NVxbar.sys
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe"
R3 cdrdrv;Cdrdrv;C:\WINDOWS\System32\Drivers\Cdrdrv.sys
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys
S2 CADopia License Manager;CADopia License Manager;C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
S2 lmgrd;Flexlm;C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
S2 windrvNT;windrvNT;\??\C:\WINDOWS\System32\windrvNT.sys
S3 aaudstum;aaudstum;\??\C:\DOCUME~1\Pacosaff\LOCALS~1\Temp\aaudstum.sys
S3 Aliasiilace;Aliasiilace;C:\WINDOWS\System32\drivers\drmkaud.sys
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS
S3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\System32\Drivers\ICAM5D2.sys
S3 pmxscan;USB USB FlatBed Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\System32\DRIVERS\sonyhcs.sys
S3 USBVSP;USBVSP;C:\WINDOWS\System32\drivers\Usbvsp.sys

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 19:41:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-06 19:43:57 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-25 10:04
.
--- E O F ---

[Mr_JAk3]

Hi

Don't uninstall Norton if you're using it. I just asked because it didn't seem to be running correctly on the last HijackThis log.

We'll continue

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Driver::
aaudstum

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A53F96EB-0452-09AD-2E26-0CC2BD21149C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Saue"=-
"Baaobvek"=-
"Spol"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=-
"Mn@iboddPubswLfov"=-
"Mn@mlrf"=-
"MnOndNeg"=-
"MnQtm"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpnol]

Save this as "CFScript"



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

[pacosaff]

OK...here's the new ComboFix log:

ComboFix 07-12-02.6 - Pacosaff 2007-12-08 23:51:58.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.141 [GMT 0:00]
Running from: C:\Documents and Settings\Pacosaff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pacosaff\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Pacosaff\Application Data\dach100.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AAUDSTUM
-------\aaudstum


((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-02 20:36 . 2007-12-02 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a------ C:\WINDOWS\system32\wshom.ocx
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a--c--- C:\WINDOWS\system32\dllcache\wshom.ocx
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 00:27 . 2007-05-29 13:55 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-11-29 00:27 . 2007-05-29 13:55 10,592 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-11-29 00:27 . 2007-05-29 13:55 705 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-11-28 23:56 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-11-28 23:51 . 2007-07-17 12:21 186,256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-11-28 23:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-28 23:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-26 23:58 . 2007-11-26 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-26 23:04 . 2007-11-26 23:04 16 --a------ C:\WINDOWS\system32\coh.cache
2007-11-26 19:42 . 2007-11-29 19:01 <DIR> d-------- C:\Program Files\Norton 360
2007-11-26 19:40 . 2007-12-05 08:57 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-26 19:40 . 2007-12-05 08:57 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-26 19:39 . 2007-12-05 08:57 <DIR> d-------- C:\Program Files\Symantec
2007-11-26 19:39 . 2007-12-07 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 19:38 . 2007-11-30 08:22 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-22 22:41 . 2007-12-08 23:48 <DIR> d-------- C:\Paul's Repair Kit
2007-11-20 08:13 . 2007-11-20 08:13 <DIR> d-------- C:\WINDOWS\system32\re3
2007-11-11 23:21 . 2007-11-11 23:21 <DIR> d-------- C:\Documents and Settings\Pacosaff\Application Data\AquaSoft
2007-11-11 23:19 . 2007-11-11 23:19 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{080C77D8-6A24-4B5E-89CF-240D0E56A59E}
2007-11-11 23:18 . 2007-11-11 23:18 <DIR> d-------- C:\Program Files\AquaSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 08:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 21:08 --------- d-----w C:\Program Files\PTGui
2007-12-02 20:36 --------- d-----w C:\Program Files\Lavasoft
2007-12-02 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 11:28 20 ----a-w C:\sccfg.sys
2007-12-02 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 10:37 --------- d-----w C:\Program Files\Fake Webcam
2007-12-01 08:49 --------- d-----w C:\Program Files\FlashGet
2007-11-29 00:51 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\uTorrent
2007-11-28 00:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\Symantec
2007-11-19 23:50 --------- d-----w C:\Program Files\3D-brush-2
2007-11-17 21:31 --------- d-----w C:\Program Files\GameHouse
2007-11-17 15:08 --------- d-----w C:\Program Files\PopCap Games
2007-11-15 23:45 --------- d-----w C:\Program Files\Ubisoft
2007-11-14 20:37 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\LimeWire
2007-11-06 22:24 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\MilkShape 3D 1.x.x
2007-11-06 22:14 --------- d-----w C:\Program Files\MilkShape 3D 1.8.2
2007-11-05 23:31 --------- d-----w C:\Program Files\Torrent Harvester
2007-11-05 23:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 20:51 --------- d-----w C:\Program Files\SecondLife
2007-10-29 19:03 --------- d-----w C:\Program Files\Pixarra
2007-10-27 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Digital Anarchy
2007-10-20 13:47 --------- d-----w C:\Program Files\Act-3D
2007-10-18 18:13 --------- d-----w C:\Program Files\Dark Egypt
2007-10-14 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-14 19:49 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 19:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-14 09:12 --------- d-----w C:\Program Files\FXhome VisionLab Studio
2007-10-12 08:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\MediaMan
2007-01-11 00:08 0 ----a-w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2006-09-23 14:57 81,920 ----a-w C:\Documents and Settings\Pacosaff\Application Data\ezpinst.exe
2006-09-23 14:57 47,360 ----a-w C:\Documents and Settings\Pacosaff\Application Data\pcouffin.sys
2005-07-02 16:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-10 22:39 88 --sh--r C:\WINDOWS\system32\668E944800.sys
2007-01-10 22:44 3,454 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-06_19.42.52.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 10:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-12-05 08:50:29 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-08 08:50:32 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-05 08:50:29 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-08 08:50:32 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-05 08:50:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-08 08:50:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-09 00:14:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-19 11:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 12:00]
"NvMediaCenter"="RUNDLL32.exe" [2002-08-29 12:00 C:\WINDOWS\system32\rundll32.exe]
"ALUAlert"="c:\program files\symantec\liveupdate\alunotify.exe" [2007-09-12 18:27]

C:\Documents and Settings\Pacosaff\Start Menu\Programs\Startup\
AntiCrash.lnk - C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe [2002-12-17 12:00:44]
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 11:59:30]
ICONDESK.lnk - C:\Program Files\ICONDESK\IconDesk.exe [2001-12-02 22:22:03]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2006-09-29 21:22:37]
Registration-INSDVD.lnk - C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-09-26 12:18:00]
Stickies.lnk - C:\Program Files\stickies\stickies.exe [2003-06-19 20:06:39]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe [2005-12-19 11:59:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-23 15:31:21]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-14 21:16:45]

R0 gxc108b;gxc108b;C:\WINDOWS\System32\DRIVERS\gxc108b.sys
R0 gxc108p;gxc108p;C:\WINDOWS\System32\Drivers\gxc108p.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\System32\DRIVERS\sonyhcb.sys
R0 VOBID;VOBID;C:\WINDOWS\System32\DRIVERS\vobid.sys
R1 gcvcd;gcvcd;C:\WINDOWS\System32\drivers\gcvcd.sys
R1 sdpiosys;sdpiosys;C:\WINDOWS\System32\drivers\sdpiosys.sys
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys
R2 aliasdocserver;Alias Documentation Server;"C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf"
R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\System32\DRIVERS\CamthWDM.sys
R2 CatnHat;CatnHat;C:\WINDOWS\System32\drivers\CatnHat.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\System32\DRIVERS\nvcap.sys
R2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\System32\DRIVERS\nvtunep.sys
R2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\System32\DRIVERS\nvtvsnd.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\System32\DRIVERS\NVxbar.sys
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe"
R3 cdrdrv;Cdrdrv;C:\WINDOWS\System32\Drivers\Cdrdrv.sys
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys
S2 CADopia License Manager;CADopia License Manager;C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
S2 lmgrd;Flexlm;C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
S2 windrvNT;windrvNT;\??\C:\WINDOWS\System32\windrvNT.sys
S3 Aliasiilace;Aliasiilace;C:\WINDOWS\System32\drivers\drmkaud.sys
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS
S3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\System32\Drivers\ICAM5D2.sys
S3 pmxscan;USB USB FlatBed Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\System32\DRIVERS\sonyhcs.sys
S3 USBVSP;USBVSP;C:\WINDOWS\System32\drivers\Usbvsp.sys

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 00:15:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-09 0:18:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-06 19:43
C:\ComboFix3.txt ... 2007-11-25 10:04
.
--- E O F ---

[pacosaff]

And the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20:56, on 09/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\System32\hserver.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\ICONDESK\IconDesk.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Paul's Repair Kit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipPublisher\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\Jccatch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] c:\program files\symantec\liveupdate\alunotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\ICONDESK\IconDesk.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196194709687
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - C:\Program Files\Internet Tracks Washer\washservice.exe
O24 - Desktop Component 0: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 12114 bytes

Many thanks for all your time

[Mr_JAk3]

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O24 - Desktop Component 0: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, you should now mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found
• If so, click it and then click the next icon right below and select Move incurable
• After the scan, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot the computer in Normal Mode,
• Post the Cure-it report and a fresh HijackThis log

[pacosaff]

WOW! After a 12 hour scan, i had to try 3 times before Windows would load. Such a relief!

Here are the new logs:

Dr. Web cure-it:

shutdown.exe;C:\Documents and Settings\Pacosaff\My Documents\Windows XP Inside Out\Windows XP Inside Out\Author Extras;Tool.ShutDown.10;;
PATCH.0XE;C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.fo;Win32.HLLW.MyBot;Deleted.;
Deep Paint 3D v2.0.exe;C:\Downloads;Win95.SK;Incurable.Moved.;
CncRt32.exe;C:\MMFusion\Programs\data\Runtime;BackDoor.JustFun;Deleted.;
patch.exe;C:\Program Files\Alteros 3D;Win32.HLLW.MyBot;Deleted.;
Tut_support.exe;C:\Program Files\AnswersThatWork\Troubleshooter;Modification of BackDoor.Generic.1219;Moved.;
UltimateTroubleshooter.exe;C:\Program Files\AnswersThatWork\Troubleshooter;Probably BACKDOOR.Trojan;;
agtpch32.dll;C:\Program Files\Common Files\Atomica Shared;Trojan.Peflog.origin;Incurable.Moved.;
agtpchnt.dll;C:\Program Files\Common Files\Atomica Shared;Trojan.Peflog.origin;Incurable.Moved.;
RealBar.dll;C:\Program Files\Common Files\Real\Toolbar;Adware.MegaSearch.origin;;
htdvdauthor.dll;C:\Program Files\honestech VHS to DVD 2.0;Adware.Cinmus.origin;;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;;
iwapi.chm\DLLGeneral.html;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK\iwapi.chm;Modification of BAT.Wed.4730;;
iwapi.chm;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK;Archive contains infected objects;Moved.;
FileTransfert.dll;C:\Program Files\ubi.com\Core;Trojan.Inject.origin;Incurable.Moved.;
zetacaspol.exe;C:\Program Files\zeta producer Desktop 7 ENU\Applications;Win32.HLLW.Folder.origin;Incurable.Moved.;
A0000139.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Win95.SK;Incurable.Moved.;
A0000140.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;BackDoor.JustFun;Deleted.;
A0000141.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Win32.HLLW.MyBot;Deleted.;
A0000142.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Modification of BackDoor.Generic.1219;Moved.;
A0000143.dll;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Trojan.Peflog.origin;Incurable.Moved.;
A0000144.dll;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Trojan.Peflog.origin;Incurable.Moved.;
A0000145.dll;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Trojan.Inject.origin;Incurable.Moved.;
A0000146.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Win32.HLLW.Folder.origin;Incurable.Moved.;
PATCH.0XE;C:\unzipped\ssg-br10\crack;Win32.HLLW.MyBot;Deleted.;


And the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:45:56, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hserver.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Paul's Repair Kit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipPublisher\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\Jccatch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] c:\program files\symantec\liveupdate\alunotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\ICONDESK\IconDesk.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196194709687
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - C:\Program Files\Internet Tracks Washer\washservice.exe

--
End of file - 10489 bytes


How are we doing? Many thanks again