Help me!30 Problems wont go away!

[Wizit]

VundoFix V6.7.7

Checking Java version...

Scan started at 2:42:35 AM 12/24/2007

Listing files found while scanning....

C:\WINDOWS\system32\nwgcxlbw.dll
C:\windows\system32\nwgcxlbw.dllbox

[katana]

Do you know what this is ?
C:\Documents and Settings\jd\Desktop\Wizit's junk\Runescape\Bots & Autos\Autofighter_Package\Autofighter Cheat Package\Hackers\wpeproalpha\wpeproalpha\WPE PRO.exe



Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  Code:

  Folder::
  C:\VundoFix Backups
  File::
  C:\WINDOWS\system32\nwgcxlbw.dll
  C:\windows\system32\nwgcxlbw.dllbox
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip
  C:\Documents and Settings\jd\Desktop\Wizit's junk\Runescape\Bots & Autos\Autofighter_Package.zip
  C:\Program Files\ComPlus Applications\rtelecirt.html
  Folder::

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


How are things running now ?

[Wizit]

ComboFix 07-12-21.4 - jd 2007-12-25 19:03:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.236 [GMT -6:00]
Running from: C:\Documents and Settings\jd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jd\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip
C:\Documents and Settings\jd\Desktop\Wizit's junk\Runescape\Bots & Autos\Autofighter_Package.zip
C:\Program Files\ComPlus Applications\rtelecirt.html
C:\WINDOWS\system32\nwgcxlbw.dll
C:\windows\system32\nwgcxlbw.dllbox
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip
C:\Documents and Settings\jd\Desktop\Wizit's junk\Runescape\Bots & Autos\Autofighter_Package.zip
C:\Program Files\ComPlus Applications\rtelecirt.html
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\cfjoyehl.dll.bad
C:\VundoFix Backups\cutcyrpz.dll.bad
C:\VundoFix Backups\cutcyrpz.dllbox.bad
C:\VundoFix Backups\dalprhty.dll.bad
C:\VundoFix Backups\dnikvuqv.dll.bad
C:\VundoFix Backups\enqyaeft.ini.bad
C:\VundoFix Backups\eouqhtkr.dll.bad
C:\VundoFix Backups\gijcqsqh.dll.bad
C:\VundoFix Backups\hqpjlkrf.dll.bad
C:\VundoFix Backups\jscfmmfs.dll.bad
C:\VundoFix Backups\keskugxu.dll.bad
C:\VundoFix Backups\lvesbntv.dll.bad
C:\VundoFix Backups\npgktrlm.dll.bad
C:\VundoFix Backups\ptorrbxj.dll.bad
C:\VundoFix Backups\tbgsjiaa.dll.bad
C:\VundoFix Backups\tfeayqne.dll.bad
C:\VundoFix Backups\tprwdjxj.dll.bad
C:\VundoFix Backups\unpdlupp.dll.bad
C:\VundoFix Backups\vcgunrbq.dll.bad
C:\VundoFix Backups\vdudvqob.dll.bad
C:\VundoFix Backups\vptlfctr.dll.bad
C:\VundoFix Backups\vtnbsevl.ini.bad
C:\VundoFix Backups\xbsimgda.dll.bad
C:\VundoFix Backups\ygbbpvuu.dll.bad

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-25 11:38 . 2007-12-25 13:55 74 --a------ C:\WINDOWS\RCAMPEG4VC.ini
2007-12-25 10:53 . 2007-12-25 10:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-25 10:53 . 2007-12-25 10:53 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-25 10:53 . 2007-12-25 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-24 02:20 . 2007-12-24 02:20 14,033 --a------ C:\posE1C.tmp
2007-12-24 02:12 . 2007-12-24 02:23 <DIR> d-------- C:\Program Files\Runescape Apocalypse Client
2007-12-24 01:39 . 2007-12-24 01:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-24 01:39 . 2007-12-25 13:20 <DIR> d-------- C:\Documents and Settings\jd\Application Data\AVG7
2007-12-24 01:38 . 2007-12-24 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-24 01:38 . 2007-12-24 02:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-22 20:25 . 2007-12-22 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 21:07 . 2007-12-21 21:07 14,033 --a------ C:\posDA8.tmp
2007-12-21 21:06 . 2007-12-21 21:06 14,033 --a------ C:\posC75.tmp
2007-12-21 19:39 . 2007-12-21 19:39 14,033 --a------ C:\posBB7.tmp
2007-12-21 19:38 . 2007-12-21 19:38 14,033 --a------ C:\posAC4.tmp
2007-12-21 16:02 . 2007-12-21 16:02 14,033 --a------ C:\pos9C4.tmp
2007-12-21 16:01 . 2007-12-21 16:01 14,033 --a------ C:\pos94B.tmp
2007-12-21 16:00 . 2007-12-21 16:00 14,033 --a------ C:\pos844.tmp
2007-12-21 13:54 . 2007-12-21 13:54 14,033 --a------ C:\pos5DB.tmp
2007-12-21 13:53 . 2007-12-21 13:53 14,033 --a------ C:\pos4FA.tmp
2007-12-20 15:58 . 2007-12-20 15:58 14,033 --a------ C:\pos811.tmp
2007-12-20 15:57 . 2007-12-20 15:57 14,033 --a------ C:\pos7A4.tmp
2007-12-20 15:56 . 2007-12-20 15:56 14,033 --a------ C:\pos68B.tmp
2007-12-19 21:02 . 2007-12-19 21:02 14,033 --a------ C:\pos3DF.tmp
2007-12-19 21:01 . 2007-12-19 21:01 14,033 --a------ C:\posA.tmp
2007-12-19 20:29 . 2007-12-19 20:29 <DIR> d-------- C:\Documents and Settings\jd\LimeWire Store Purchased
2007-12-19 20:29 . 2007-12-19 20:29 <DIR> d-------- C:\Documents and Settings\jd\LimeWire Shared
2007-12-19 20:29 . 2007-12-25 16:56 <DIR> d-------- C:\Documents and Settings\jd\LimeWire Saved
2007-12-19 20:26 . 2007-12-24 19:23 <DIR> d-------- C:\Program Files\LimeWire
2007-12-19 20:13 . 2007-12-19 20:13 14,033 --a------ C:\posF3.tmp
2007-12-19 20:12 . 2007-12-19 20:13 14,033 --a------ C:\pos43.tmp
2007-12-17 19:33 . 2007-12-17 19:33 <DIR> d-------- C:\Program Files\RCA
2007-12-17 13:20 . 2007-12-22 12:57 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-17 13:16 . 2007-12-17 13:16 <DIR> dr-h----- C:\Documents and Settings\Kyle\Application Data\yahoo!
2007-12-16 17:47 . 2007-08-03 19:31 <DIR> d-------- C:\Documents and Settings\Kyle\WINDOWS
2007-12-16 17:47 . 2007-12-16 17:47 <DIR> d--hs---- C:\Documents and Settings\Kyle\UserData
2007-12-16 17:47 . 2007-08-03 19:36 <DIR> d-------- C:\Documents and Settings\Kyle\Application Data\McAfee.com Personal Firewall
2007-12-16 17:44 . 2007-12-16 17:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-16 15:22 . 2007-12-22 17:01 2,402 --a------ C:\WINDOWS\wininit.ini
2007-12-16 11:20 . 2007-12-16 19:48 <DIR> d-------- C:\Documents and Settings\jd\Application Data\DivX
2007-12-15 22:16 . 2007-12-16 17:36 <DIR> d-------- C:\Documents and Settings\jd\Application Data\Lavasoft
2007-12-15 19:01 . 2007-12-24 18:49 <DIR> d-------- C:\Temp
2007-12-11 16:35 . 2007-12-11 16:35 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 16:35 . 2007-12-11 16:35 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 16:34 . 2007-12-11 16:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 16:34 . 2007-12-11 16:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 16:34 . 2007-12-11 16:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 16:32 . 2007-12-11 16:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 16:32 . 2007-12-11 16:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 16:32 . 2007-12-11 16:32 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 19:00 . 2007-12-10 19:00 <DIR> d-------- C:\GMouse20
2007-12-01 23:35 . 2006-09-13 14:52 561,152 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-01 23:35 . 2006-09-13 15:01 237,568 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-01 23:35 . 2005-12-30 15:34 2,864 --a------ C:\WINDOWS\system32\xvid.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 22:56 --------- d-----w C:\Documents and Settings\jd\Application Data\LimeWire
2007-12-22 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 05:26 --------- d-----w C:\Program Files\RegistryFix
2007-12-18 01:25 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-17 19:34 --------- d-----w C:\Program Files\Java
2007-12-11 22:34 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 22:34 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 22:34 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-12-11 22:34 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-11 22:34 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-08 19:02 --------- d-----w C:\Program Files\Yahoo!
2007-12-02 05:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 03:17 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-18 03:17 --------- d-----w C:\Program Files\rpg2003
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-03 20:22 --------- d-----w C:\Documents and Settings\jd\Application Data\Yahoo!
2007-11-03 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-01 20:04 --------- d-----w C:\Program Files\FileZilla
2007-11-01 14:03 0 ----a-w C:\Documents and Settings\jd\AutoTalkerPro20.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 00:15 --------- d-----w C:\Program Files\Zune
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-09-04 23:56 56 --sh--r C:\WINDOWS\system32\A3D88A52D0.sys
2007-09-04 23:56 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_12.41.06.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-27 18:09]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-24 09:44]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-24 01:38]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 11:57:16]

C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 11:57:16]

C:\Documents and Settings\jd\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 11:57:16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 06:48]
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys [2001-08-17 06:10]
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198xdl.sys [2002-06-20 16:53]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2005-06-22 18:54]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys [2001-08-17 07:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a4aa71-4959-11dc-a30f-0000864da474}]
\Shell\AutoRun\command - D:\setup.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 19:06:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-25 19:07:39
C:\ComboFix2.txt ... 2007-12-25 09:47
C:\ComboFix3.txt ... 2007-12-24 19:07
.
2007-12-12 01:06:33 --- E O F ---

[Wizit]

Ummmmmm, when i go to my computer my local disk (C has a big red x for a symbol and then it has litteraly thousands of "TMP Files". Whats wierd is that when i go to my windows media player or anything really and open a file from my Local Disk (C, it works, and i dont see any temp files. Is there a way to fix this? Thx

[katana]

Hi Wizit,

SD Fix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[Wizit]

Ok heres the SDFix log,


SDFix: Version 1.119

Run by jd on Thu 12/27/2007 at 07:56 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\COMPLU~1\QUCANO~1 - Deleted
C:\PROGRA~1\COMPLU~1\QUCANO~2 - Deleted
C:\DOCUME~1\jd\LOCALS~1\Temp\hdo18.tmp - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 10:11:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 4 Sep 2007 56 ..SHR --- "C:\WINDOWS\system32\A3D88A52D0.sys"
Tue 4 Sep 2007 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 2 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 26 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 28 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a53bf224a188f23c622431aa5c569c34\BIT1.tmp"

Finished!

[Wizit]

And heres the new hijackthis log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:23 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mmhp.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1186100614029
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 5584 bytes

[katana]

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  Code:

  File::
  C:\posDA8.tmp
  C:\posC75.tmp
  C:\posBB7.tmp
  C:\posAC4.tmp
  C:\pos9C4.tmp
  C:\pos94B.tmp
  C:\pos844.tmp
  C:\pos5DB.tmp
  C:\pos4FA.tmp
  C:\pos811.tmp
  C:\pos7A4.tmp
  C:\pos68B.tmp
  C:\pos3DF.tmp
  C:\posA.tmp
  C:\pos43.tmp
  C:\posF3.tmp
  C:\WINDOWS\wininit.ini
  C:\posE1C.tmp
  Driver::
  MSControlService
  Registry::
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a4aa71-4959-11dc-a30f-0000864da474}]

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


find a file
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it findfiles.bat Please save it on your desktop.

@echo off
if exist C:\look*.txt del /q C:\look*.txt
if exist C:\kresults.txt del /q C:\kresults.txt
dir /a "C:\pos???.tmp" >> C:\look.txt
type C:\look*.txt >> C:\kresults.txt
start notepad C:\kresults.txt
del /q C:\look*.txt
del /q findfiles.bat
Exit

Double click findfiles.bat. Notepad will open, copy and paste the contents in your reply.

[Wizit]

ComboFix 07-12-21.4 - jd 2007-12-27 18:04:09.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.184 [GMT -6:00]
Running from: C:\Documents and Settings\jd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jd\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\pos3DF.tmp
C:\pos43.tmp
C:\pos4FA.tmp
C:\pos5DB.tmp
C:\pos68B.tmp
C:\pos7A4.tmp
C:\pos811.tmp
C:\pos844.tmp
C:\pos94B.tmp
C:\pos9C4.tmp
C:\posA.tmp
C:\posAC4.tmp
C:\posBB7.tmp
C:\posC75.tmp
C:\posDA8.tmp
C:\posE1C.tmp
C:\posF3.tmp
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos3DF.tmp
C:\pos43.tmp
C:\pos4FA.tmp
C:\pos5DB.tmp
C:\pos68B.tmp
C:\pos7A4.tmp
C:\pos811.tmp
C:\pos844.tmp
C:\pos94B.tmp
C:\pos9C4.tmp
C:\posA.tmp
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 07:28 . 2007-12-27 07:28 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-26 00:08 . 2007-12-26 00:12 <DIR> d-------- C:\TMP Files
2007-12-25 11:38 . 2007-12-27 07:51 82 --a------ C:\WINDOWS\RCAMPEG4VC.ini
2007-12-25 10:53 . 2007-12-25 10:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-25 10:53 . 2007-12-25 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-24 02:12 . 2007-12-24 02:23 <DIR> d-------- C:\Program Files\Runescape Apocalypse Client
2007-12-24 01:39 . 2007-12-24 01:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-24 01:39 . 2007-12-27 10:18 <DIR> d-------- C:\Documents and Settings\jd\Application Data\AVG7
2007-12-24 01:38 . 2007-12-24 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-24 01:38 . 2007-12-24 02:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-22 20:25 . 2007-12-22 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 21:06 . 2007-12-21 21:06 9,033 --a------ C:\pos9DA.tmp
2007-12-21 21:06 . 2007-12-21 21:06 7,033 --a------ C:\pos9C8.tmp
2007-12-21 21:06 . 2007-12-21 21:06 6,033 --a------ C:\pos9DC.tmp
2007-12-21 21:06 . 2007-12-21 21:06 5,033 --a------ C:\posA8B.tmp
2007-12-21 16:02 . 2007-12-21 16:02 14,033 --a------ C:\pos9C1.tmp
2007-12-21 16:01 . 2007-12-21 16:01 14,033 --a------ C:\pos945.tmp
2007-12-21 16:00 . 2007-12-21 16:00 14,033 --a------ C:\pos83E.tmp
2007-12-21 13:54 . 2007-12-21 13:54 14,033 --a------ C:\pos5D9.tmp
2007-12-21 13:53 . 2007-12-21 13:53 14,033 --a------ C:\pos4EE.tmp
2007-12-20 15:58 . 2007-12-20 15:58 14,033 --a------ C:\pos80F.tmp
2007-12-20 15:57 . 2007-12-20 15:57 14,033 --a------ C:\pos78D.tmp
2007-12-20 15:56 . 2007-12-20 15:56 14,033 --a------ C:\pos68A.tmp
2007-12-19 21:02 . 2007-12-19 21:02 14,033 --a------ C:\pos3D9.tmp
2007-12-19 21:01 . 2007-12-19 21:02 14,033 --a------ C:\pos297.tmp
2007-12-19 20:29 . 2007-12-19 20:29 <DIR> d-------- C:\Documents and Settings\jd\LimeWire Store Purchased
2007-12-19 20:29 . 2007-12-19 20:29 <DIR> d-------- C:\Documents and Settings\jd\LimeWire Shared
2007-12-19 20:29 . 2007-12-27 18:06 <DIR> d-------- C:\Documents and Settings\jd\LimeWire Saved
2007-12-19 20:26 . 2007-12-24 19:23 <DIR> d-------- C:\Program Files\LimeWire
2007-12-19 20:13 . 2007-12-19 20:13 14,033 --a------ C:\posA3.tmp
2007-12-19 20:12 . 2007-12-19 20:13 14,033 --a------ C:\pos3B.tmp
2007-12-17 19:33 . 2007-12-17 19:33 <DIR> d-------- C:\Program Files\RCA
2007-12-17 13:20 . 2007-12-22 12:57 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-17 13:16 . 2007-12-17 13:16 <DIR> dr-h----- C:\Documents and Settings\Kyle\Application Data\yahoo!
2007-12-16 17:47 . 2007-08-03 19:31 <DIR> d-------- C:\Documents and Settings\Kyle\WINDOWS
2007-12-16 17:47 . 2007-12-16 17:47 <DIR> d--hs---- C:\Documents and Settings\Kyle\UserData
2007-12-16 17:47 . 2007-08-03 19:36 <DIR> d-------- C:\Documents and Settings\Kyle\Application Data\McAfee.com Personal Firewall
2007-12-16 17:44 . 2007-12-16 17:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-16 11:20 . 2007-12-16 19:48 <DIR> d-------- C:\Documents and Settings\jd\Application Data\DivX
2007-12-15 22:16 . 2007-12-16 17:36 <DIR> d-------- C:\Documents and Settings\jd\Application Data\Lavasoft
2007-12-15 19:01 . 2007-12-24 18:49 <DIR> d-------- C:\Temp
2007-12-11 16:35 . 2007-12-11 16:35 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 16:35 . 2007-12-11 16:35 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 16:34 . 2007-12-11 16:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 16:34 . 2007-12-11 16:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 16:34 . 2007-12-11 16:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 16:32 . 2007-12-11 16:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 16:32 . 2007-12-11 16:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 16:32 . 2007-12-11 16:32 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 19:00 . 2007-12-10 19:00 <DIR> d-------- C:\GMouse20
2007-12-01 23:35 . 2006-09-13 14:52 561,152 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-01 23:35 . 2006-09-13 15:01 237,568 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-01 23:35 . 2005-12-30 15:34 2,864 --a------ C:\WINDOWS\system32\xvid.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 13:05 --------- d-----w C:\Documents and Settings\jd\Application Data\LimeWire
2007-12-22 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-22 05:26 --------- d-----w C:\Program Files\RegistryFix
2007-12-18 01:25 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-17 19:34 --------- d-----w C:\Program Files\Java
2007-12-11 22:34 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 22:34 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-08 19:02 --------- d-----w C:\Program Files\Yahoo!
2007-12-02 05:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-18 03:17 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-18 03:17 --------- d-----w C:\Program Files\rpg2003
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-03 20:22 --------- d-----w C:\Documents and Settings\jd\Application Data\Yahoo!
2007-11-03 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-01 20:04 --------- d-----w C:\Program Files\FileZilla
2007-11-01 14:03 0 ----a-w C:\Documents and Settings\jd\AutoTalkerPro20.exe
2007-09-04 23:56 56 --sh--r C:\WINDOWS\system32\A3D88A52D0.sys
2007-09-04 23:56 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_12.41.06.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-24 06:54:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-27 13:56:09 5,476,352 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-27 13:56:09 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-24 06:54:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2007-12-27 13:28:21 5,476,352 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2007-12-27 13:28:21 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-27 18:09]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-24 09:44]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-24 01:38]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 11:57:16]

C:\Documents and Settings\Kyle\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 11:57:16]

C:\Documents and Settings\jd\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 11:57:16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

R3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 06:48]
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\EL556ND5.sys [2001-08-17 06:10]
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198xdl.sys [2002-06-20 16:53]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2005-06-22 18:54]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;C:\WINDOWS\system32\DRIVERS\WDHAALBA.sys [2001-08-17 07:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0a4aa71-4959-11dc-a30f-0000864da474}]
\Shell\AutoRun\command - D:\setup.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 18:13:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 18:15:21 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-25 19:07
C:\ComboFix3.txt ... 2007-12-25 09:47
.
2007-12-12 01:06:33 --- E O F ---

[Wizit]

Volume in drive C has no label.
Volume Serial Number is 48F2-F4C7

Directory of C:\

12/19/2007 09:01 PM 9,033 pos1.tmp
12/19/2007 09:01 PM 10,033 pos10.tmp
12/19/2007 08:13 PM 14,033 pos100.tmp
12/19/2007 08:13 PM 12,033 pos101.tmp
12/19/2007 08:13 PM 13,033 pos102.tmp
12/19/2007 08:13 PM 14,033 pos103.tmp
12/19/2007 08:13 PM 5,033 pos104.tmp
12/19/2007 08:13 PM 12,033 pos105.tmp
12/19/2007 08:13 PM 8,033 pos106.tmp
12/19/2007 08:13 PM 9,033 pos107.tmp
12/19/2007 08:13 PM 8,033 pos108.tmp
12/19/2007 08:13 PM 11,033 pos109.tmp
12/19/2007 08:13 PM 6,033 pos10A.tmp
12/19/2007 08:13 PM 13,033 pos10B.tmp
12/19/2007 08:13 PM 14,033 pos10C.tmp
12/19/2007 08:13 PM 13,033 pos10D.tmp
12/19/2007 08:13 PM 13,033 pos10E.tmp
12/19/2007 08:13 PM 5,033 pos10F.tmp
12/19/2007 09:01 PM 11,033 pos11.tmp
12/19/2007 08:13 PM 6,033 pos110.tmp
12/19/2007 08:13 PM 8,033 pos111.tmp
12/19/2007 08:13 PM 6,033 pos112.tmp
12/19/2007 08:13 PM 14,033 pos113.tmp
12/19/2007 08:13 PM 7,033 pos114.tmp
12/19/2007 08:13 PM 10,033 pos115.tmp
12/19/2007 08:13 PM 11,033 pos116.tmp
12/19/2007 08:13 PM 11,033 pos117.tmp
12/19/2007 08:13 PM 10,033 pos118.tmp
12/19/2007 08:13 PM 7,033 pos119.tmp
12/19/2007 08:13 PM 11,033 pos11A.tmp
12/19/2007 08:13 PM 8,033 pos11B.tmp
12/19/2007 08:13 PM 7,033 pos11C.tmp
12/19/2007 08:13 PM 11,033 pos11D.tmp
12/19/2007 08:13 PM 8,033 pos11E.tmp
12/19/2007 08:13 PM 5,033 pos11F.tmp
12/19/2007 09:01 PM 8,033 pos12.tmp
12/19/2007 08:13 PM 7,033 pos120.tmp
12/19/2007 08:13 PM 9,033 pos121.tmp
12/19/2007 08:13 PM 10,033 pos122.tmp
12/19/2007 08:13 PM 14,033 pos123.tmp
12/19/2007 08:13 PM 12,033 pos124.tmp
12/19/2007 08:13 PM 9,033 pos125.tmp
12/19/2007 08:13 PM 5,033 pos126.tmp
12/19/2007 08:13 PM 12,033 pos127.tmp
12/19/2007 08:13 PM 14,033 pos128.tmp
12/19/2007 08:13 PM 13,033 pos129.tmp
12/19/2007 08:13 PM 10,033 pos12A.tmp
12/19/2007 08:13 PM 7,033 pos12B.tmp
12/19/2007 08:13 PM 7,033 pos12C.tmp
12/19/2007 08:13 PM 14,033 pos12D.tmp
12/19/2007 08:13 PM 10,033 pos12E.tmp
12/19/2007 08:13 PM 7,033 pos12F.tmp
12/19/2007 09:01 PM 13,033 pos13.tmp
12/19/2007 08:13 PM 10,033 pos130.tmp
12/19/2007 08:13 PM 7,033 pos131.tmp
12/19/2007 08:13 PM 14,033 pos132.tmp
12/19/2007 08:13 PM 6,033 pos133.tmp
12/19/2007 08:13 PM 9,033 pos134.tmp
12/19/2007 08:13 PM 8,033 pos135.tmp
12/19/2007 08:13 PM 10,033 pos136.tmp
12/19/2007 08:13 PM 9,033 pos137.tmp
12/19/2007 08:13 PM 5,033 pos138.tmp
12/19/2007 08:13 PM 5,033 pos139.tmp
12/19/2007 08:13 PM 13,033 pos13A.tmp
12/19/2007 08:13 PM 10,033 pos13B.tmp
12/19/2007 08:13 PM 5,033 pos13C.tmp
12/19/2007 08:13 PM 12,033 pos13D.tmp
12/19/2007 08:13 PM 11,033 pos13E.tmp
12/19/2007 08:13 PM 12,033 pos13F.tmp
12/19/2007 09:01 PM 7,033 pos14.tmp
12/19/2007 08:13 PM 5,033 pos140.tmp
12/19/2007 08:13 PM 12,033 pos141.tmp
12/19/2007 08:13 PM 13,033 pos142.tmp
12/19/2007 08:13 PM 13,033 pos143.tmp
12/19/2007 08:13 PM 5,033 pos144.tmp
12/19/2007 08:13 PM 12,033 pos145.tmp
12/19/2007 08:13 PM 9,033 pos146.tmp
12/19/2007 08:13 PM 14,033 pos147.tmp
12/19/2007 08:13 PM 13,033 pos148.tmp
12/19/2007 08:13 PM 8,033 pos149.tmp
12/19/2007 08:13 PM 12,033 pos14A.tmp
12/19/2007 08:13 PM 7,033 pos14B.tmp
12/19/2007 08:13 PM 14,033 pos14C.tmp
12/19/2007 08:13 PM 6,033 pos14D.tmp
12/19/2007 08:13 PM 11,033 pos14E.tmp
12/19/2007 08:13 PM 10,033 pos14F.tmp
12/19/2007 09:01 PM 10,033 pos15.tmp
12/19/2007 08:13 PM 8,033 pos150.tmp
12/19/2007 08:13 PM 14,033 pos151.tmp
12/19/2007 08:13 PM 9,033 pos152.tmp
12/19/2007 08:13 PM 14,033 pos153.tmp
12/19/2007 08:13 PM 11,033 pos154.tmp
12/19/2007 08:13 PM 5,033 pos155.tmp
12/19/2007 08:13 PM 10,033 pos156.tmp
12/19/2007 08:13 PM 10,033 pos157.tmp
12/19/2007 08:13 PM 14,033 pos158.tmp
12/19/2007 08:13 PM 7,033 pos159.tmp
12/19/2007 08:13 PM 14,033 pos15A.tmp
12/19/2007 08:13 PM 7,033 pos15B.tmp
12/19/2007 08:13 PM 6,033 pos15C.tmp
12/19/2007 08:13 PM 8,033 pos15D.tmp
12/19/2007 08:13 PM 6,033 pos15E.tmp
12/19/2007 08:13 PM 8,033 pos15F.tmp
12/19/2007 09:01 PM 8,033 pos16.tmp
12/19/2007 08:13 PM 12,033 pos160.tmp
12/19/2007 08:13 PM 11,033 pos161.tmp
12/19/2007 08:13 PM 9,033 pos162.tmp
12/19/2007 08:13 PM 13,033 pos163.tmp
12/19/2007 08:13 PM 11,033 pos164.tmp
12/19/2007 08:13 PM 9,033 pos165.tmp
12/19/2007 08:13 PM 6,033 pos166.tmp
12/19/2007 08:13 PM 13,033 pos167.tmp
12/19/2007 08:13 PM 8,033 pos168.tmp
12/19/2007 08:13 PM 11,033 pos169.tmp
12/19/2007 08:13 PM 11,033 pos16A.tmp
12/19/2007 08:13 PM 8,033 pos16B.tmp
12/19/2007 08:13 PM 6,033 pos16C.tmp
12/19/2007 08:13 PM 14,033 pos16D.tmp
12/19/2007 08:13 PM 10,033 pos16E.tmp
12/19/2007 08:13 PM 9,033 pos16F.tmp
12/19/2007 09:01 PM 13,033 pos17.tmp
12/19/2007 08:13 PM 13,033 pos170.tmp
12/19/2007 08:13 PM 14,033 pos171.tmp
12/19/2007 08:13 PM 11,033 pos172.tmp
12/19/2007 08:13 PM 14,033 pos173.tmp
12/19/2007 08:13 PM 10,033 pos174.tmp
12/19/2007 08:13 PM 13,033 pos175.tmp
12/19/2007 08:13 PM 12,033 pos176.tmp
12/19/2007 08:13 PM 9,033 pos177.tmp
12/19/2007 08:13 PM 12,033 pos178.tmp
12/19/2007 08:13 PM 13,033 pos179.tmp
12/19/2007 08:13 PM 5,033 pos17A.tmp
12/19/2007 08:13 PM 13,033 pos17B.tmp
12/19/2007 08:13 PM 6,033 pos17C.tmp
12/19/2007 08:13 PM 7,033 pos17D.tmp
12/19/2007 08:13 PM 11,033 pos17E.tmp
12/19/2007 08:13 PM 12,033 pos17F.tmp
12/19/2007 09:01 PM 8,033 pos18.tmp
12/19/2007 08:13 PM 13,033 pos180.tmp
12/19/2007 08:13 PM 9,033 pos181.tmp
12/19/2007 08:13 PM 8,033 pos182.tmp
12/19/2007 08:13 PM 11,033 pos183.tmp
12/19/2007 08:13 PM 9,033 pos184.tmp
12/19/2007 08:13 PM 12,033 pos185.tmp
12/19/2007 08:13 PM 7,033 pos186.tmp
12/19/2007 08:13 PM 13,033 pos187.tmp
12/19/2007 08:13 PM 14,033 pos188.tmp
12/19/2007 08:13 PM 5,033 pos189.tmp
12/19/2007 08:13 PM 9,033 pos18A.tmp
12/19/2007 08:13 PM 8,033 pos18B.tmp
12/19/2007 08:13 PM 14,033 pos18C.tmp
12/19/2007 08:13 PM 11,033 pos18D.tmp
12/19/2007 08:13 PM 10,033 pos18E.tmp
12/19/2007 08:13 PM 14,033 pos18F.tmp
12/19/2007 09:01 PM 11,033 pos19.tmp
12/19/2007 08:13 PM 8,033 pos190.tmp
12/19/2007 08:13 PM 11,033 pos191.tmp
12/19/2007 08:13 PM 5,033 pos192.tmp
12/19/2007 08:13 PM 6,033 pos193.tmp
12/19/2007 08:13 PM 12,033 pos194.tmp
12/19/2007 08:13 PM 9,033 pos195.tmp
12/19/2007 08:13 PM 10,033 pos196.tmp
12/19/2007 08:13 PM 7,033 pos197.tmp
12/19/2007 08:13 PM 5,033 pos198.tmp
12/19/2007 08:13 PM 8,033 pos199.tmp
12/19/2007 08:13 PM 12,033 pos19A.tmp
12/19/2007 08:13 PM 9,033 pos19B.tmp
12/19/2007 08:13 PM 12,033 pos19C.tmp
12/19/2007 08:13 PM 12,033 pos19D.tmp
12/19/2007 08:13 PM 10,033 pos19E.tmp
12/19/2007 08:13 PM 14,033 pos19F.tmp
12/19/2007 09:01 PM 10,033 pos1A.tmp
12/19/2007 08:13 PM 11,033 pos1A0.tmp
12/19/2007 08:13 PM 5,033 pos1A1.tmp
12/19/2007 08:13 PM 11,033 pos1A2.tmp
12/19/2007 08:13 PM 5,033 pos1A3.tmp
12/19/2007 08:13 PM 6,033 pos1A4.tmp
12/19/2007 08:13 PM 11,033 pos1A5.tmp
12/19/2007 08:13 PM 8,033 pos1A6.tmp
12/19/2007 08:13 PM 12,033 pos1A7.tmp
12/19/2007 08:13 PM 11,033 pos1A8.tmp
12/19/2007 08:13 PM 9,033 pos1A9.tmp
12/19/2007 08:13 PM 10,033 pos1AA.tmp
12/19/2007 08:13 PM 5,033 pos1AB.tmp
12/19/2007 08:13 PM 11,033 pos1AC.tmp
12/19/2007 08:13 PM 14,033 pos1AD.tmp
12/19/2007 08:13 PM 11,033 pos1AE.tmp
12/19/2007 08:13 PM 13,033 pos1AF.tmp
12/19/2007 09:01 PM 13,033 pos1B.tmp
12/19/2007 08:13 PM 12,033 pos1B0.tmp
12/19/2007 08:13 PM 12,033 pos1B1.tmp
12/19/2007 08:13 PM 5,033 pos1B2.tmp
12/19/2007 08:13 PM 8,033 pos1B3.tmp
12/19/2007 08:13 PM 14,033 pos1B4.tmp
12/19/2007 08:13 PM 10,033 pos1B5.tmp
12/19/2007 08:13 PM 12,033 pos1B6.tmp