Virtumonde, Zlob, and ?

[FastAK]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:18 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Owner.DADUPSTAIRS\My Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5228
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5228
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.readyforcrysis.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Filter hijack: text/html - {063cdb52-34c2-418f-a776-2cc70f6cfb31} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: sgetww.dll abwpko.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8967 bytes

Hi, This is really tearing me up, up here in the Great North Land. And NO! I don't know Sarah... lol
I appreciate and Thank You for your Help!

[Blade81]

Hi

Navigate to C:\Documents and Settings\Owner.DADUPSTAIRS\My Documents\Downloads folder and rename HijackThis.exe -> something.exe. Post a fresh hjt log after renaming is done

[FastAK]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:34 PM, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Owner.DADUPSTAIRS\My Documents\Downloads\something.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5228
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5228
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=DTP&M=GT5228
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A3ABBADA-C468-4704-9766-47D7C20F768B} - (no file)
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\khfGabBt.dll
O2 - BHO: {d94202de-930c-88d9-b1b4-182efb6f88ea} - {ae88f6bf-e281-4b1b-9d88-c039ed20249d} - C:\WINDOWS\system32\ijpnuj.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {B231C45D-A6F0-4E49-B468-04AB16B882C0} - C:\WINDOWS\system32\nnnKEUlm.dll
O2 - BHO: (no name) - {C8A58F0A-B761-4D1E-B4BA-FFEA1F210DDA} - C:\WINDOWS\system32\xxyywtqo.dll (file missing)
O2 - BHO: (no name) - {FE31DB81-4A39-442C-A289-3762286CE1D3} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [102b4a42] rundll32.exe "C:\WINDOWS\system32\olflpedi.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.readyforcrysis.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Filter hijack: text/html - {063cdb52-34c2-418f-a776-2cc70f6cfb31} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: sgetww.dll abwpko.dll ijpnuj.dll
O20 - Winlogon Notify: khfGabBt - C:\WINDOWS\SYSTEM32\khfGabBt.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 10285 bytes
Here it is...

[Blade81]

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[FastAK]

ComboFix 08-11-12.01 - Owner 2008-11-13 18:15:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1537 [GMT -9:00]
Running from: c:\documents and settings\Owner.DADUPSTAIRS\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.DADUPSTAIRS\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\cbXRKcDV.dll
c:\windows\system32\cervdqvb.dll
c:\windows\system32\disk.dll
c:\windows\system32\escfgxxe.dll
c:\windows\system32\fccbXoOf.dll
c:\windows\system32\ideplflo.ini
c:\windows\system32\jjuyjlwm.dll
c:\windows\system32\khfDWNHw.dll
c:\windows\system32\mlUEKnnn.ini
c:\windows\system32\mlUEKnnn.ini2
c:\windows\system32\nnnKEUlm.dll
c:\windows\system32\nqydgffh.dll
c:\windows\system32\sdfthnhm.dll
c:\windows\system32\wadiecuy.dll
c:\windows\system32\xoqbsh.dll
c:\windows\system32\ykrnxurl.dll
c:\windows\system32\yuceidaw.ini
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-08 13:50 . 2008-11-08 13:50 23,040 --a------ c:\documents and settings\Owner.DADUPSTAIRS\~.exe
2008-11-05 22:30 . 2008-11-13 18:16 <DIR> d-------- c:\program files\Common
2008-11-01 21:47 . 2008-11-01 21:47 <DIR> d-------- c:\program files\Warner Bros. Interactive Entertainment
2008-11-01 16:26 . 2008-11-01 16:26 <DIR> d-------- c:\program files\Lavasoft
2008-11-01 14:41 . 2008-11-01 14:41 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-01 14:41 . 2008-11-01 14:41 1,409 --a------ c:\windows\QTFont.for
2008-11-01 13:57 . 2008-11-13 18:22 32,592 --a------ c:\windows\system32\BMXStateBkp-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-13 18:22 32,592 --a------ c:\windows\system32\BMXState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-13 18:22 32,088 --a------ c:\windows\system32\BMXCtrlState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-13 18:22 32,088 --a------ c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-13 18:22 11,564 --a------ c:\windows\system32\DVCState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-13 18:22 1,080 --a------ c:\windows\system32\settingsbkup.sfm
2008-11-01 13:57 . 2008-11-13 18:22 1,080 --a------ c:\windows\system32\settings.sfm
2008-11-01 13:56 . 2008-11-13 18:25 4,958,588 --a------ c:\windows\{00000003-00000000-00000006-00001102-00000004-20021102}.BAK
2008-11-01 13:55 . 2008-11-13 18:25 4,958,588 --a------ c:\windows\{00000003-00000000-00000006-00001102-00000004-20021102}.CDF
2008-11-01 13:54 . 2006-08-11 14:14 86,446 --a------ c:\windows\system32\instwdm.ini
2008-11-01 13:54 . 2006-08-11 13:55 10,240 --a------ c:\windows\CTDCRES.DLL
2008-10-30 16:04 . 2008-10-30 16:04 7,704 --a------ c:\windows\system32\mst120.dll
2008-10-24 05:58 . 2008-10-15 07:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 17:29 . 2008-09-15 03:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 17:27 . 2008-09-08 01:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 17:21 . 2008-08-14 01:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 17:21 . 2008-08-14 01:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:21 . 2008-08-14 00:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:21 . 2008-08-14 00:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 16:32 . 2008-10-15 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-09 19:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 18:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-02 06:55 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-02 06:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-02 01:26 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\Lavasoft
2008-11-01 22:56 --------- d-----w c:\program files\Creative
2008-11-01 22:55 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-01 22:55 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\Creative
2008-10-25 01:29 --------- d-----w c:\program files\StarWarsGalaxies
2008-10-21 00:10 --------- d-----w c:\program files\Diablo II
2008-10-20 16:25 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\U3
2008-10-16 05:33 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-10 18:26 183,128 ----a-w c:\windows\system32\PnkBstrB.exe
2008-10-10 18:13 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-21 22:03 21,840 ----a-w c:\windows\system32\SIntfNT.dll
2008-08-21 22:03 17,212 ----a-w c:\windows\system32\SIntf32.dll
2008-08-21 22:03 12,067 ----a-w c:\windows\system32\SIntf16.dll
2008-08-21 21:58 94,208 ----a-w c:\windows\DIIUnin.exe
2008-08-21 21:58 2,829 ----a-w c:\windows\DIIUnin.pif
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-10 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-04-30 230928]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-08-19 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sgetww.dll abwpko.dll ssiyna.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LapLink Gold\\laplink.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.1.1.6739-to-2.1.2.6803-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_gardiner\\garrysmod\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\StarWarsGalaxies\\SwgClient_r.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"8086:TCP"= 8086:TCP:WoW
"8087:TCP"= 8087:TCP:WoW
"9081:TCP"= 9081:TCP:WoW
"9090:TCP"= 9090:TCP:WoW
"9097:TCP"= 9097:TCP:WoW
"9100:TCP"= 9100:TCP:WoW

R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\Drivers\tsircmir.sys [2004-09-29 2816]
R2 MySQL4;MySQL4;c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt --defaults-file=c:\program files\MySQL\MySQL Server 4.1\my.ini MySQL4 [ ]
R2 TSISER;TSISER;c:\windows\system32\drivers\TSISER.sys [2004-09-29 43040]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.sys [2004-09-29 5120]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\TSIKBF5.sys [2004-09-29 9728]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2004-09-29 5632]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.sys [2004-09-29 9216]
S3 gtermddo;gtermddo;c:\docume~1\OWNER~1.DAD\LOCALS~1\Temp\gtermddo.sys [ ]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2004-09-29 4736]
S3 PLUsbbc2;Laplink USB Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2004-06-03 8960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e6734b-27be-11db-b115-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
- - - - ORPHANS REMOVED - - - -

BHO-{04B76818-CF97-4989-81DB-B469664E0565} - c:\windows\system32\nnnKEUlm.dll
BHO-{6f6dff10-c0cd-4ecd-9e9d-0c79ad17648e} - c:\windows\system32\ssiyna.dll
BHO-{A3ABBADA-C468-4704-9766-47D7C20F768B} - (no file)
BHO-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\khfGabBt.dll
BHO-{C8A58F0A-B761-4D1E-B4BA-FFEA1F210DDA} - c:\windows\system32\xxyywtqo.dll
BHO-{FE31DB81-4A39-442C-A289-3762286CE1D3} - (no file)
HKLM-Run-102b4a42 - c:\windows\system32\wadiecuy.dll
ShellExecuteHooks-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - c:\windows\system32\khfGabBt.dll
Notify-khfGabBt - khfGabBt.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
R0 -: HKLM-Main,Start Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5228
R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
O8 -: Do&wnload by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_Link.htm
O8 -: Download A&ll by ReGet Pro - c:\program files\Common Files\ReGet Shared\CC_All.htm
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 18:25:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL4]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL4"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\rundll32.exe
c:\windows\system32\TSIRCSRV.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-11-13 18:29:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 03:29:34

Pre-Run: 171,700,674,560 bytes free
Post-Run: 172,182,085,632 bytes free

244 --- E O F --- 2008-10-24 15:05:15


Hi, I only have a little time before work so I check messages and fullfill all actions required after I arrive home in the PM. I want to thank you so much for all this help , It really shows a great devotion on the part of you and others to lend yourselves so graciously to all of us. Thank YOU!

[Blade81]

Hi


Open notepad and copy/paste the text in the quotebox below into it:

Code:

Driver::
gtermddo

File::
c:\documents and settings\Owner.DADUPSTAIRS\~.exe
c:\docume~1\OWNER~1.DAD\LOCALS~1\Temp\gtermddo.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Java versions and get Java 6 Update 7 here.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

[FastAK]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 20:14:58
Records in database: 1385149
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 108616
Threat name: 6
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:25:51


File name / Threat name / Threats count
C:\Documents and Settings\Owner.DADUPSTAIRS\~.exe Infected: Trojan.Win32.Agent.amvk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jjuyjlwm.dll.vir Infected: Trojan.Win32.Monder.yio 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ykrnxurl.dll.vir Infected: Trojan.Win32.Monder.yqf 1
C:\WINDOWS\system32\LoveFly.dll Infected: Trojan-GameThief.Win32.WOW.arz 1
C:\WINDOWS\system32\mst120.dll Infected: Trojan-Downloader.Win32.DlKroha.m 1
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:18 AM, on 11/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Owner.DADUPSTAIRS\My Documents\Downloads\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5228
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Do&wnload by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Pro - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by127fd.bay127.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.readyforcrysis.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: sgetww.dll abwpko.dll ssiyna.dll
O20 - Winlogon Notify: khfGabBt - C:\WINDOWS\
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - Laplink Software, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8712 bytes





ComboFix 08-11-12.01 - Owner 2008-11-14 21:48:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1563 [GMT -9:00]
Running from: c:\documents and settings\Owner.DADUPSTAIRS\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.DADUPSTAIRS\Desktop\CFScript.lnk
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-14 21:43 . 2008-11-14 21:43 <DIR> d-------- c:\windows\LastGood
2008-11-13 22:28 . 2008-10-24 02:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 22:27 . 2008-09-04 08:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-08 13:50 . 2008-11-08 13:50 23,040 --a------ c:\documents and settings\Owner.DADUPSTAIRS\~.exe
2008-11-05 22:30 . 2008-11-13 18:16 <DIR> d-------- c:\program files\Common
2008-11-01 21:47 . 2008-11-01 21:47 <DIR> d-------- c:\program files\Warner Bros. Interactive Entertainment
2008-11-01 16:26 . 2008-11-01 16:26 <DIR> d-------- c:\program files\Lavasoft
2008-11-01 14:41 . 2008-11-01 14:41 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-01 14:41 . 2008-11-01 14:41 1,409 --a------ c:\windows\QTFont.for
2008-11-01 13:57 . 2008-11-14 06:44 31,056 --a------ c:\windows\system32\BMXStateBkp-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-14 06:44 31,056 --a------ c:\windows\system32\BMXState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-14 06:44 30,528 --a------ c:\windows\system32\BMXCtrlState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-14 06:44 30,528 --a------ c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-14 06:44 11,564 --a------ c:\windows\system32\DVCState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-14 06:44 1,080 --a------ c:\windows\system32\settingsbkup.sfm
2008-11-01 13:57 . 2008-11-14 06:44 1,080 --a------ c:\windows\system32\settings.sfm
2008-11-01 13:56 . 2008-11-14 21:47 4,958,588 --a------ c:\windows\{00000003-00000000-00000006-00001102-00000004-20021102}.BAK
2008-11-01 13:55 . 2008-11-14 21:47 4,958,588 --a------ c:\windows\{00000003-00000000-00000006-00001102-00000004-20021102}.CDF
2008-11-01 13:54 . 2006-08-11 14:14 86,446 --a------ c:\windows\system32\instwdm.ini
2008-11-01 13:54 . 2006-08-11 13:55 10,240 --a------ c:\windows\CTDCRES.DLL
2008-10-30 16:04 . 2008-10-30 16:04 7,704 --a------ c:\windows\system32\mst120.dll
2008-10-24 05:58 . 2008-10-15 07:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 17:29 . 2008-09-15 03:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 17:27 . 2008-09-08 01:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 17:21 . 2008-08-14 01:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 17:21 . 2008-08-14 01:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:21 . 2008-08-14 00:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:21 . 2008-08-14 00:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 16:32 . 2008-10-15 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 06:54 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-09 19:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 18:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-02 06:55 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-02 06:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-02 01:26 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\Lavasoft
2008-11-01 22:56 --------- d-----w c:\program files\Creative
2008-11-01 22:55 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-01 22:55 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\Creative
2008-10-25 01:29 --------- d-----w c:\program files\StarWarsGalaxies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 00:10 --------- d-----w c:\program files\Diablo II
2008-10-20 16:25 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\U3
2008-10-16 23:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 23:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 23:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 23:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 23:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 23:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 05:33 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-10 18:26 183,128 ----a-w c:\windows\system32\PnkBstrB.exe
2008-10-10 18:13 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-01 01:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-21 22:03 21,840 ----a-w c:\windows\system32\SIntfNT.dll
2008-08-21 22:03 17,212 ----a-w c:\windows\system32\SIntf32.dll
2008-08-21 22:03 12,067 ----a-w c:\windows\system32\SIntf16.dll
2008-08-21 21:58 94,208 ----a-w c:\windows\DIIUnin.exe
2008-08-21 21:58 2,829 ----a-w c:\windows\DIIUnin.pif
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_18.28.59.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-14 07:30:06 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2008-07-19 06:10:48 94,920 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2008-07-19 06:09:44 563,912 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2008-07-19 06:10:42 53,448 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2008-07-19 06:09:42 1,811,656 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2008-07-19 06:09:46 325,832 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2008-07-19 06:10:20 36,552 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2008-07-19 06:10:40 45,768 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2008-07-19 06:09:44 205,000 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2008-07-19 06:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 23:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-04-14 00:12:01 1,306,624 -c--a-w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c--a-w c:\windows\system32\dllcache\msxml6.dll
- 2008-07-19 06:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 23:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 06:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 23:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 06:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 23:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 06:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 23:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 06:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 23:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-10-07 21:19:42 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-10-16 23:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 23:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-10-01 01:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 01:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-10 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-04-30 230928]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-08-19 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGabBt]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sgetww.dll abwpko.dll ssiyna.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LapLink Gold\\laplink.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.1.1.6739-to-2.1.2.6803-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_gardiner\\garrysmod\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\StarWarsGalaxies\\SwgClient_r.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"8086:TCP"= 8086:TCP:WoW
"8087:TCP"= 8087:TCP:WoW
"9081:TCP"= 9081:TCP:WoW
"9090:TCP"= 9090:TCP:WoW
"9097:TCP"= 9097:TCP:WoW
"9100:TCP"= 9100:TCP:WoW

R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\Drivers\tsircmir.sys [2004-09-29 2816]
R2 MySQL4;MySQL4;c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt --defaults-file=c:\program files\MySQL\MySQL Server 4.1\my.ini MySQL4 [ ]
R2 TSISER;TSISER;c:\windows\system32\drivers\TSISER.sys [2004-09-29 43040]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.sys [2004-09-29 5120]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\TSIKBF5.sys [2004-09-29 9728]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2004-09-29 5632]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.sys [2004-09-29 9216]
S3 gtermddo;gtermddo;c:\docume~1\OWNER~1.DAD\LOCALS~1\Temp\gtermddo.sys [ ]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2004-09-29 4736]
S3 PLUsbbc2;Laplink USB Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2004-06-03 8960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e6734b-27be-11db-b115-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
- - - - ORPHANS REMOVED - - - -

BHO-{32E0F146-5B22-4C3C-8F67-C23680DE9BEC} - (no file)
BHO-{A3ABBADA-C468-4704-9766-47D7C20F768B} - (no file)
BHO-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - (no file)
BHO-{C8A58F0A-B761-4D1E-B4BA-FFEA1F210DDA} - (no file)
BHO-{FE31DB81-4A39-442C-A289-3762286CE1D3} - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 21:55:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL4]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL4"
.
Completion time: 2008-11-14 21:58:17
ComboFix-quarantined-files.txt 2008-11-15 06:57:50
ComboFix2.txt 2008-11-14 03:30:00

Pre-Run: 172,053,303,296 bytes free
Post-Run: 172,039,585,792 bytes free

229 --- E O F --- 2008-11-14 07:33:02


OK, here it all is...

[Blade81]

Hi

Of some reason you ended up with a file named CFScript.lnk instead of CFScript.txt. Let's try again with following script.


Open notepad and copy/paste the text in the quotebox below into it:

Code:

Driver::
gtermddo

File::
c:\documents and settings\Owner.DADUPSTAIRS\~.exe
c:\docume~1\OWNER~1.DAD\LOCALS~1\Temp\gtermddo.sys
C:\WINDOWS\system32\LoveFly.dll
C:\WINDOWS\system32\mst120.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGabBt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

[FastAK]

ComboFix 08-11-12.01 - Owner 2008-11-15 10:01:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1585 [GMT -9:00]
Running from: c:\documents and settings\Owner.DADUPSTAIRS\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.DADUPSTAIRS\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\docume~1\OWNER~1.DAD\LOCALS~1\Temp\gtermddo.sys
c:\documents and settings\Owner.DADUPSTAIRS\~.exe
c:\windows\system32\LoveFly.dll
c:\windows\system32\mst120.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.DADUPSTAIRS\~.exe
c:\windows\system32\LoveFly.dll
c:\windows\system32\mst120.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GTERMDDO
-------\Service_gtermddo


((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-13 22:28 . 2008-10-24 02:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 22:27 . 2008-09-04 08:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-05 22:30 . 2008-11-13 18:16 <DIR> d-------- c:\program files\Common
2008-11-01 21:47 . 2008-11-01 21:47 <DIR> d-------- c:\program files\Warner Bros. Interactive Entertainment
2008-11-01 16:26 . 2008-11-01 16:26 <DIR> d-------- c:\program files\Lavasoft
2008-11-01 14:41 . 2008-11-01 14:41 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-01 14:41 . 2008-11-01 14:41 1,409 --a------ c:\windows\QTFont.for
2008-11-01 13:57 . 2008-11-15 10:09 31,056 --a------ c:\windows\system32\BMXStateBkp-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-15 10:09 31,056 --a------ c:\windows\system32\BMXState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-15 10:09 30,528 --a------ c:\windows\system32\BMXCtrlState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-15 10:09 30,528 --a------ c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-15 10:09 11,564 --a------ c:\windows\system32\DVCState-{00000003-00000000-00000006-00001102-00000004-20021102}.rfx
2008-11-01 13:57 . 2008-11-15 10:09 1,080 --a------ c:\windows\system32\settingsbkup.sfm
2008-11-01 13:57 . 2008-11-15 10:09 1,080 --a------ c:\windows\system32\settings.sfm
2008-11-01 13:56 . 2008-11-15 10:00 4,958,588 --a------ c:\windows\{00000003-00000000-00000006-00001102-00000004-20021102}.BAK
2008-11-01 13:55 . 2008-11-15 10:10 4,958,588 --a------ c:\windows\{00000003-00000000-00000006-00001102-00000004-20021102}.CDF
2008-11-01 13:54 . 2006-08-11 14:14 86,446 --a------ c:\windows\system32\instwdm.ini
2008-11-01 13:54 . 2006-08-11 13:55 10,240 --a------ c:\windows\CTDCRES.DLL
2008-10-24 05:58 . 2008-10-15 07:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 17:29 . 2008-09-15 03:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 17:27 . 2008-09-08 01:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 17:21 . 2008-08-14 01:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 17:21 . 2008-08-14 01:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 17:21 . 2008-08-14 00:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 17:21 . 2008-08-14 00:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 16:32 . 2008-10-15 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 07:14 --------- d-----w c:\program files\Java
2008-11-15 06:54 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-09 19:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 18:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-02 06:55 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-02 06:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-02 01:26 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\Lavasoft
2008-11-01 22:56 --------- d-----w c:\program files\Creative
2008-11-01 22:55 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-01 22:55 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\Creative
2008-10-25 01:29 --------- d-----w c:\program files\StarWarsGalaxies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 00:10 --------- d-----w c:\program files\Diablo II
2008-10-20 16:25 --------- d-----w c:\documents and settings\Owner.DADUPSTAIRS\Application Data\U3
2008-10-16 23:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 23:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 23:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 23:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 23:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 23:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 23:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 23:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 05:33 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-10 18:26 183,128 ----a-w c:\windows\system32\PnkBstrB.exe
2008-10-10 18:13 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-10-01 01:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-21 22:03 21,840 ----a-w c:\windows\system32\SIntfNT.dll
2008-08-21 22:03 17,212 ----a-w c:\windows\system32\SIntf32.dll
2008-08-21 22:03 12,067 ----a-w c:\windows\system32\SIntf16.dll
2008-08-21 21:58 94,208 ----a-w c:\windows\DIIUnin.exe
2008-08-21 21:58 2,829 ----a-w c:\windows\DIIUnin.pif
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot_2008-11-14_21.56.48.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 06:10:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 23:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2007-03-14 08:31:24 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-06-10 10:21:01 135,168 ----a-w c:\windows\system32\java.exe
- 2007-03-14 08:31:28 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-06-10 10:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
- 2007-03-14 10:04:46 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-06-10 11:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-10 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-04-30 230928]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-08-19 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LapLink Gold\\laplink.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\world of warcraft\\World of Warcraft\\WoW-2.1.1.6739-to-2.1.2.6803-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\chris_gardiner\\garrysmod\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\StarWarsGalaxies\\SwgClient_r.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"8086:TCP"= 8086:TCP:WoW
"8087:TCP"= 8087:TCP:WoW
"9081:TCP"= 9081:TCP:WoW
"9090:TCP"= 9090:TCP:WoW
"9097:TCP"= 9097:TCP:WoW
"9100:TCP"= 9100:TCP:WoW

R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\Drivers\tsircmir.sys [2004-09-29 2816]
R2 MySQL4;MySQL4;c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt --defaults-file=c:\program files\MySQL\MySQL Server 4.1\my.ini MySQL4 [ ]
R2 TSISER;TSISER;c:\windows\system32\drivers\TSISER.sys [2004-09-29 43040]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\TSISTRMX.sys [2004-09-29 5120]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\TSIKBF5.sys [2004-09-29 9728]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\TSIMSF5.sys [2004-09-29 5632]
S1 TSIRCINK;Traveling Software Install Driver;c:\windows\system32\drivers\TSIRCINK.sys [2004-09-29 9216]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2004-09-29 4736]
S3 PLUsbbc2;Laplink USB Cable Driver;c:\windows\system32\Drivers\usbbc2.sys [2004-06-03 8960]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e6734b-27be-11db-b115-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 10:11:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL4]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL4"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> ?:\windows\system32\SETUPAPI.dll
-> ?:\windows\system32\WS2HELP.dll
-> ?:\windows\system32\WS2HELP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\TSIRCSRV.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-11-15 10:15:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-15 19:14:37
ComboFix.txt 2008-11-15 06:58:19
ComboFix2.txt 2008-11-14 03:30:00
ComboFix3.txt 2008-11-15 18:54:12

Pre-Run: 171,881,291,776 bytes free
Post-Run: 171,860,779,008 bytes free

237 --- E O F --- 2008-11-14 07:33:02



HI, Maybe the problem was I saved CFS to documents instead of desktop?
anyway...

[Blade81]

Hi

Could you post a fresh hjt log too, please?