PDA

View Full Version : Problem with Virtumonde


alphaj2
2008-04-06, 02:39
Hello, I've had problems with Virtumonde for a week or so now, I've used various spyware and malware removal programs to try and get rid of it. Even though I think it has been removed, after a couple days or so Spybot's resident comes up with a browser helper object trying to add a registry key and when I run Spybot, it finds Virtumonde again. I attempted to run Kaspersky Online Scanner in Internet Explorer but after I allow ActiveX and click the accept button, nothing happens. I have run Hijack This and attached is the produced log in two separate files (too big for one attachment). Thank you in advance for your help.
Rorschach112
2008-04-08, 20:30
Hello

Please don't attach the logs


Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------


Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
alphaj2
2008-04-09, 06:56
The following is the Combofix log file:

ComboFix 08-04-08.7 - Justin Grubbs 2008-04-08 23:32:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2042 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Grubbs\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\gbRve12
C:\WINDOWS\BM57b8025e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\abadd.ini
C:\WINDOWS\SYSTEM32\abadd.ini2
C:\WINDOWS\SYSTEM32\adeeg.ini
C:\WINDOWS\SYSTEM32\adeeg.ini2
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\SYSTEM32\ddeeg.ini
C:\WINDOWS\SYSTEM32\ddeeg.ini2
C:\WINDOWS\system32\disk.exe
C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\system32\nnnopqq.dll
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\SYSTEM32\utvwa.ini
C:\WINDOWS\SYSTEM32\utvwa.ini2
C:\WINDOWS\system32\vwadyqwd.dll
C:\WINDOWS\SYSTEM32\wybeg.ini
C:\WINDOWS\SYSTEM32\wybeg.ini2
C:\WINDOWS\SYSTEM32\ybeeg.ini
C:\WINDOWS\SYSTEM32\ybeeg.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTLOAD
-------\Legacy_WINDOWS_LOG


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-06 22:36 . 2008-04-06 22:36 146 --a------ C:\WINDOWS\capture.INI
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 18:52 . 2008-04-05 18:52 <DIR> d-------- C:\Deckard
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-31 00:51 . 2008-04-08 23:37 30,440 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 30,440 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 27,264 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 27,264 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-30 17:10 . 2008-03-30 17:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-30 15:00 . 2008-04-08 23:03 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-03-30 14:58 . 2008-04-06 02:07 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-08 23:37 2,064 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-03-30 14:58 . 2008-04-08 23:37 2,064 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-03-30 13:59 . 2008-03-30 13:59 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\scar5
2008-03-30 13:59 . 2008-03-30 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2008-03-30 13:54 . 2008-03-30 15:00 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-03-30 13:19 . 2008-03-30 13:19 474 --ahs---- C:\WINDOWS\SYSTEM32\cilxfsxl.ini
2008-03-30 02:23 . 2008-03-30 13:14 414 --ahs---- C:\WINDOWS\SYSTEM32\iqngmfly.ini
2008-03-30 02:18 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-03-30 02:18 . 2008-03-30 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-30 02:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\SYSTEM32\d3dx9_35.dll
2008-03-30 02:11 . 2008-03-30 02:11 <DIR> d-------- C:\Program Files\MSBuild
2008-03-30 02:06 . 2008-03-30 02:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-30 02:04 . 2008-03-30 02:04 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-30 02:03 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-30 01:49 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-30 01:49 . 2008-03-30 01:49 <DIR> d-------- C:\Program Files\Autodesk
2008-03-30 01:49 . 2008-03-30 14:09 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Autodesk
2008-03-29 00:42 . 2008-03-29 01:14 294 --ahs---- C:\WINDOWS\SYSTEM32\nttdgfmh.ini
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-03-27 22:44 . 2008-03-27 22:44 294 --ahs---- C:\WINDOWS\SYSTEM32\disrvmsy.ini
2008-03-27 22:35 . 2008-03-27 22:38 <DIR> d-------- C:\Program Files\GRETECH
2008-03-27 12:18 . 2008-04-08 23:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 09:34 . 2008-03-27 11:40 354 --ahs---- C:\WINDOWS\SYSTEM32\tggkiqfv.ini
2008-03-27 06:52 . 2008-03-27 06:52 294 --ahs---- C:\WINDOWS\SYSTEM32\ymgoavaw.ini
2008-03-25 10:29 . 2008-03-27 09:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\SUPERAntiSpyware.com
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 02:26 . 2008-03-25 02:26 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-25 02:04 . 2008-02-09 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-03-25 02:04 . 2008-02-10 06:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-03-24 02:38 . 2008-03-24 02:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 02:38 . 2008-03-24 02:38 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-23 02:11 . 2008-01-10 12:40 74,608 --a------ C:\WINDOWS\TrueInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:43 --------- d-----w C:\Program Files\PSpice
2008-04-07 01:34 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\LimeWire
2008-04-06 22:39 --------- d-----w C:\Program Files\iTunes
2008-04-06 22:39 --------- d-----w C:\Program Files\iPod
2008-04-06 22:37 --------- d-----w C:\Program Files\QuickTime
2008-03-28 03:32 --------- d-----w C:\Program Files\DivX
2008-03-25 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 03:16 --------- d-----w C:\Program Files\LimeWire
2008-03-24 07:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-23 17:01 --------- d-----w C:\Program Files\Ares
2008-03-23 07:11 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-03-23 07:11 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\TrueSwitch
2008-03-08 08:42 --------- d-----w C:\Program Files\Java
2008-03-07 07:12 --------- d-----w C:\Program Files\Creative
2008-03-07 07:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 07:00 --------- d-----w C:\Program Files\AIM6
2008-02-23 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-22 18:07 --------- d-----w C:\Program Files\Panicware
2008-02-22 18:00 --------- d-----w C:\Program Files\Common Files\aol
2008-02-22 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-22 17:56 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\AOL
2008-02-11 05:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-11 05:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 05:46 --------- d-----w C:\Program Files\Symantec
2008-02-10 04:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-10 04:23 --------- d--h--w C:\Documents and Settings\Justin Grubbs\Application Data\GTek
2008-02-10 04:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-12 06:09 40,224 -c--a-w C:\Documents and Settings\Justin Grubbs\Application Data\GDIPFONTCACHEV1.DAT
2005-03-11 03:57 32,968 -c--a-w C:\Documents and Settings\Justin Grubbs\apache.exe
2006-09-24 04:36 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13C2439E-4C6B-405B-838E-76B2D19D9955}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AFE017A-2C89-4D9A-A372-80D5DD8A3FD3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{206BBDAF-D21C-4DB0-80D9-BEDA46AA2E22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{224CAA1B-E6F3-4C9E-9B77-08CBAF712C2D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF3E33AD-405C-4B72-8FB3-0E924EC2521D}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc318c67-6661-4507-a22a-65b6da41345d}]
C:\WINDOWS\system32\vdiilesw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"NBJ"="C:\Program Files\ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17 1937408]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"EasyDVDMon"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 10:46 245760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"0b9126567f7c"="C:\WINDOWS\System32\BASESRV5.exe" [2004-08-24 00:32 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Smiley District"="C:\Program Files\SmileyDistrict\plugin.exe" [2006-05-17 02:47 53248]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"548b31c2"="C:\WINDOWS\system32\ylfmgnqi.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-11-01 17:07:12 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnopqq]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3radius"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
C:\WINDOWS\wupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 PEDRV;P&E Microcomputer System PCI Driver.;C:\WINDOWS\system32\drivers\PEDRV.sys [2000-08-03 19:25]
R2 VICHW11;P&E BDM Cable Driver II;C:\WINDOWS\system32\drivers\VICHW11.sys [1998-10-02 15:20]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 NTBOOT;NTBOOTMGR;C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe []
S2 svhost;svhosttest;C:\WINDOWS\system\svchost.exe []
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2004-03-05 03:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{536a27c8-67fd-11dc-a0e2-00038a000015}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0e49feb-cb8a-11dc-a171-00038a000015}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 16:33:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-29 19:50:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144523391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 23:38:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-04-08 23:44:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 04:43:57
Pre-Run: 27,906,232,320 bytes free
Post-Run: 27,782,868,992 bytes free
.
2008-03-30 22:10:25 --- E O F ---
alphaj2
2008-04-09, 06:57
and now the new Hijack This log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:02 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Justin Grubbs\Desktop\mplayerc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Justin Grubbs\Desktop\mplayerc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BF3E33AD-405C-4B72-8FB3-0E924EC2521D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: {d54314ad-6b56-a22a-7054-166676c813cf} - {fc318c67-6661-4507-a22a-65b6da41345d} - C:\WINDOWS\system32\vdiilesw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnopqq - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JUSTIN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 11365 bytes


Thank you for your help.
Rorschach112
2008-04-09, 14:48
Hello

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\SYSTEM32\cilxfsxl.ini
C:\WINDOWS\SYSTEM32\iqngmfly.ini
C:\WINDOWS\SYSTEM32\nttdgfmh.ini
C:\WINDOWS\SYSTEM32\disrvmsy.ini
C:\WINDOWS\SYSTEM32\tggkiqfv.ini
C:\WINDOWS\SYSTEM32\ymgoavaw.ini
C:\WINDOWS\wupdt.exe
G:\Start.exe
F:\Start.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{536a27c8-67fd-11dc-a0e2-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0e49feb-cb8a-11dc-a171-00038a000015}]

Driver::
svhost

Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
alphaj2
2008-04-09, 17:49
Here is the new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:22 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206BBDAF-D21C-4DB0-80D9-BEDA46AA2E22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BF3E33AD-405C-4B72-8FB3-0E924EC2521D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: {d54314ad-6b56-a22a-7054-166676c813cf} - {fc318c67-6661-4507-a22a-65b6da41345d} - C:\WINDOWS\system32\vdiilesw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnopqq - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JUSTIN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 11253 bytes
Rorschach112
2008-04-09, 20:08
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please go here:
The Spy Killer Forum (http://www.thespykiller.co.uk/index.php?board=1.0)
Click on "New Topic"
Put your name, e-mail address, and this as the title: "C:\WINDOWS\System32\BASESRV5.exe"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:


C:\WINDOWS\System32\BASESRV5.exe


Click Open.
Click Post.
Thank you!



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {206BBDAF-D21C-4DB0-80D9-BEDA46AA2E22} - (no file)
O2 - BHO: (no name) - {BF3E33AD-405C-4B72-8FB3-0E924EC2521D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: {d54314ad-6b56-a22a-7054-166676c813cf} - {fc318c67-6661-4507-a22a-65b6da41345d} - C:\WINDOWS\system32\vdiilesw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O20 - Winlogon Notify: nnnopqq - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JUSTIN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log and the ComboFix log
alphaj2
2008-04-10, 04:50
I started the new thread under The Spykiller - Spyware and Malware Cleaning > Uploads > , the link is http://thespykiller.co.uk/index.php/topic,6357.new.html#new?PHPSESSID=e9f7f27b7ffd25854a85720ae6a08187

here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:45 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10613 bytes
alphaj2
2008-04-10, 04:51
and the ComboFix log:

ComboFix 08-04-08.7 - Justin Grubbs 2008-04-09 21:37:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2035 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Grubbs\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-09 00:01 . 2008-04-09 00:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 22:36 . 2008-04-06 22:36 146 --a------ C:\WINDOWS\capture.INI
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 18:52 . 2008-04-05 18:52 <DIR> d-------- C:\Deckard
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-31 00:51 . 2008-04-09 21:33 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-30 17:10 . 2008-03-30 17:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-30 15:00 . 2008-04-09 21:35 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-03-30 14:58 . 2008-04-09 11:42 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 21:33 2,064 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-03-30 14:58 . 2008-04-09 21:33 2,064 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-03-30 13:59 . 2008-03-30 13:59 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\scar5
2008-03-30 13:59 . 2008-03-30 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2008-03-30 13:54 . 2008-03-30 15:00 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-03-30 02:18 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-03-30 02:18 . 2008-03-30 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-30 02:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\SYSTEM32\d3dx9_35.dll
2008-03-30 02:11 . 2008-03-30 02:11 <DIR> d-------- C:\Program Files\MSBuild
2008-03-30 02:06 . 2008-03-30 02:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-30 02:04 . 2008-03-30 02:04 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-30 02:03 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-30 01:49 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-30 01:49 . 2008-03-30 01:49 <DIR> d-------- C:\Program Files\Autodesk
2008-03-30 01:49 . 2008-03-30 14:09 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Autodesk
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-03-27 22:35 . 2008-03-27 22:38 <DIR> d-------- C:\Program Files\GRETECH
2008-03-27 12:18 . 2008-04-09 21:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-25 10:29 . 2008-03-27 09:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\SUPERAntiSpyware.com
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 02:26 . 2008-03-25 02:26 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-25 02:04 . 2008-02-09 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-03-25 02:04 . 2008-02-10 06:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-03-24 02:38 . 2008-03-24 02:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 02:38 . 2008-03-24 02:38 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-23 02:11 . 2008-01-10 12:40 74,608 --a------ C:\WINDOWS\TrueInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:43 --------- d-----w C:\Program Files\PSpice
2008-04-07 01:34 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\LimeWire
2008-04-06 22:39 --------- d-----w C:\Program Files\iTunes
2008-04-06 22:39 --------- d-----w C:\Program Files\iPod
2008-04-06 22:37 --------- d-----w C:\Program Files\QuickTime
2008-03-28 03:32 --------- d-----w C:\Program Files\DivX
2008-03-25 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 03:16 --------- d-----w C:\Program Files\LimeWire
2008-03-24 07:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-23 17:01 --------- d-----w C:\Program Files\Ares
2008-03-23 07:11 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-03-23 07:11 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\TrueSwitch
2008-03-08 08:42 --------- d-----w C:\Program Files\Java
2008-03-07 07:12 --------- d-----w C:\Program Files\Creative
2008-03-07 07:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 07:00 --------- d-----w C:\Program Files\AIM6
2008-02-23 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-22 18:07 --------- d-----w C:\Program Files\Panicware
2008-02-22 18:00 --------- d-----w C:\Program Files\Common Files\aol
2008-02-22 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-22 17:56 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\AOL
2008-02-11 05:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-11 05:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 05:46 --------- d-----w C:\Program Files\Symantec
2008-02-10 04:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-10 04:23 --------- d--h--w C:\Documents and Settings\Justin Grubbs\Application Data\GTek
2008-02-10 04:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-12 06:09 40,224 -c--a-w C:\Documents and Settings\Justin Grubbs\Application Data\GDIPFONTCACHEV1.DAT
2005-03-11 03:57 32,968 -c--a-w C:\Documents and Settings\Justin Grubbs\apache.exe
2006-09-24 04:36 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-04-09_10.41.04.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-09 15:28:16 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-04-10 02:38:47 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-04-09 15:28:16 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-04-10 02:38:48 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"NBJ"="C:\Program Files\ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17 1937408]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"EasyDVDMon"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 10:46 245760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"0b9126567f7c"="C:\WINDOWS\System32\BASESRV5.exe" [2004-08-24 00:32 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Smiley District"="C:\Program Files\SmileyDistrict\plugin.exe" [2006-05-17 02:47 53248]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"548b31c2"="C:\WINDOWS\system32\ylfmgnqi.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-11-01 17:07:12 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3radius"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 PEDRV;P&E Microcomputer System PCI Driver.;C:\WINDOWS\system32\drivers\PEDRV.sys [2000-08-03 19:25]
R2 VICHW11;P&E BDM Cable Driver II;C:\WINDOWS\system32\drivers\VICHW11.sys [1998-10-02 15:20]
S2 svhost;svhosttest;C:\WINDOWS\system\svchost.exe []
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2004-03-05 03:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 16:33:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-29 19:50:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144523391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 21:42:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 21:44:08
ComboFix-quarantined-files.txt 2008-04-10 02:43:41
ComboFix2.txt 2008-04-09 15:41:40
ComboFix3.txt 2008-04-09 04:44:01
Pre-Run: 27,650,412,544 bytes free
Post-Run: 27,624,480,768 bytes free
.
2008-04-09 05:03:17 --- E O F ---


Thank you for all of your time and help.
Rorschach112
2008-04-10, 18:31
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\System32\BASESRV5.exe

Driver::
svhost

Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
alphaj2
2008-04-11, 02:56
The new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:45 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10389 bytes


While I have your assistance, is there any way to keep Windows Explorer from opening the System32 folder when Windows starts? Thank you.
Rorschach112
2008-04-11, 16:02
Yes hopefully

Can you post the ComboFix log and do this


Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
alphaj2
2008-04-11, 23:57
ComboFix log:

ComboFix 08-04-08.7 - Justin Grubbs 2008-04-10 19:42:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2022 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Grubbs\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin Grubbs\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\BASESRV5.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\System32\BASESRV5.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 00:01 . 2008-04-09 00:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 22:36 . 2008-04-06 22:36 146 --a------ C:\WINDOWS\capture.INI
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 18:52 . 2008-04-05 18:52 <DIR> d-------- C:\Deckard
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-31 00:51 . 2008-04-10 19:34 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-30 17:10 . 2008-03-30 17:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-30 15:00 . 2008-04-10 19:36 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-03-30 14:58 . 2008-04-09 22:15 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-10 19:34 2,064 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-03-30 14:58 . 2008-04-10 19:34 2,064 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-03-30 13:59 . 2008-03-30 13:59 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\scar5
2008-03-30 13:59 . 2008-03-30 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2008-03-30 13:54 . 2008-03-30 15:00 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-03-30 02:18 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-03-30 02:18 . 2008-03-30 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-30 02:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\SYSTEM32\d3dx9_35.dll
2008-03-30 02:11 . 2008-03-30 02:11 <DIR> d-------- C:\Program Files\MSBuild
2008-03-30 02:06 . 2008-03-30 02:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-30 02:04 . 2008-03-30 02:04 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-30 02:03 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-30 01:49 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-30 01:49 . 2008-03-30 01:49 <DIR> d-------- C:\Program Files\Autodesk
2008-03-30 01:49 . 2008-03-30 14:09 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Autodesk
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-03-27 22:35 . 2008-03-27 22:38 <DIR> d-------- C:\Program Files\GRETECH
2008-03-27 12:18 . 2008-04-10 19:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-25 10:29 . 2008-03-27 09:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\SUPERAntiSpyware.com
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 02:26 . 2008-03-25 02:26 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-25 02:04 . 2008-02-09 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-03-25 02:04 . 2008-02-10 06:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-03-24 02:38 . 2008-03-24 02:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 02:38 . 2008-03-24 02:38 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-23 02:11 . 2008-01-10 12:40 74,608 --a------ C:\WINDOWS\TrueInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:43 --------- d-----w C:\Program Files\PSpice
2008-04-07 01:34 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\LimeWire
2008-04-06 22:39 --------- d-----w C:\Program Files\iTunes
2008-04-06 22:39 --------- d-----w C:\Program Files\iPod
2008-04-06 22:37 --------- d-----w C:\Program Files\QuickTime
2008-03-28 03:32 --------- d-----w C:\Program Files\DivX
2008-03-25 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 03:16 --------- d-----w C:\Program Files\LimeWire
2008-03-24 07:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-23 17:01 --------- d-----w C:\Program Files\Ares
2008-03-23 07:11 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-03-23 07:11 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\TrueSwitch
2008-03-08 08:42 --------- d-----w C:\Program Files\Java
2008-03-07 07:12 --------- d-----w C:\Program Files\Creative
2008-03-07 07:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 07:00 --------- d-----w C:\Program Files\AIM6
2008-02-23 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-22 18:07 --------- d-----w C:\Program Files\Panicware
2008-02-22 18:00 --------- d-----w C:\Program Files\Common Files\aol
2008-02-22 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-22 17:56 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\AOL
2008-02-11 05:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-11 05:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 05:46 --------- d-----w C:\Program Files\Symantec
2007-11-12 06:09 40,224 -c--a-w C:\Documents and Settings\Justin Grubbs\Application Data\GDIPFONTCACHEV1.DAT
2005-03-11 03:57 32,968 -c--a-w C:\Documents and Settings\Justin Grubbs\apache.exe
2006-09-24 04:36 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-04-09_10.41.04.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-09 15:28:16 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-04-11 00:39:47 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-04-09 15:28:16 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-04-11 00:39:47 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"NBJ"="C:\Program Files\ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17 1937408]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"EasyDVDMon"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 10:46 245760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Smiley District"="C:\Program Files\SmileyDistrict\plugin.exe" [2006-05-17 02:47 53248]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-11-01 17:07:12 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3radius"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 PEDRV;P&E Microcomputer System PCI Driver.;C:\WINDOWS\system32\drivers\PEDRV.sys [2000-08-03 19:25]
R2 VICHW11;P&E BDM Cable Driver II;C:\WINDOWS\system32\drivers\VICHW11.sys [1998-10-02 15:20]
S2 svhost;svhosttest;C:\WINDOWS\system\svchost.exe []
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2004-03-05 03:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 16:33:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-29 19:50:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144523391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 19:47:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 19:48:09
ComboFix-quarantined-files.txt 2008-04-11 00:47:46
ComboFix2.txt 2008-04-10 02:44:09
ComboFix3.txt 2008-04-09 15:41:40
ComboFix4.txt 2008-04-09 04:44:01
Pre-Run: 27,572,666,368 bytes free
Post-Run: 27,548,401,664 bytes free
.
2008-04-09 05:03:17 --- E O F ---
Rorschach112
2008-04-12, 00:02
Hello

Post the Kaspersky report and do this

Please download RUNSCANNER (http://www.runscanner.net/download.aspx) to your desktop and run it.

When the first page comes up select Beginner Mode
On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post.
alphaj2
2008-04-12, 04:03
Here is the Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 9:01:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 698660
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 121794
Number of viruses found: 13
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 03:35:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_GRUBBS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_GRUBBS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-11_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.24504 Infected: Trojan.Win32.VB.cng skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\cert8.db Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\history.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\key3.db Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\parent.lock Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\History\History.IE5\MSHist012008041120080412\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Temp\Acr54F9.tmp Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\My Documents\ftNU-20030108.exe/data0002 Infected: not-a-virus:AdWare.Win32.FlashTrack.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\ftNU-20030108.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero-8.2.8.0_eng_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero-8.2.8.0_eng_update.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.g skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0037 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Justin Grubbs\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Justin Grubbs\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\pedriver.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\BASESRV5.exe.vir Infected: not-a-virus:AdWare.Win32.IEDriver.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vwadyqwd.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000598.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0001011.exe Infected: not-a-virus:AdWare.Win32.IEDriver.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\change.log Object is locked skipped
C:\WINDOWS\ast_2to3_bp.exe/WISE0006.BIN Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\WINDOWS\ast_2to3_bp.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\ast_4_bp.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\WINDOWS\ast_4_bp.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\gsi.exe/data0002/data0136 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe/data0002 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe/data0003/data0115 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe NSIS: infected - 4 skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\Xcite2.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10001102}.CDF Object is locked skipped

Scan process completed.


Thank you.
alphaj2
2008-04-12, 04:15
The .zip file from the RunScanner execution is too large to attach (112.2 KB).

Thanks.
Rorschach112
2008-04-12, 14:52
Just to let you know, the cracks you downloaded are responsible for your infection

You will need to host the run file at a site like mediafire.com



Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Documents and Settings\Justin Grubbs\My Documents\ftNU-20030108.exe
C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/NHInstall.exe
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe
C:\WINDOWS\ast_2to3_bp.exe
C:\WINDOWS\ast_4_bp.exe
C:\WINDOWS\gsi.exe
C:\WINDOWS\SYSTEM32\Xcite2.exe
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
alphaj2
2008-04-12, 18:03
Here is the link to the RunScanner .zip file

http://www.mediafire.com/?tn9tx9mimjm

When I clicked the Moveit! button, OTMoveIt2 moved the first files but gave me an error saying "Invalid name flag [NHInstall.exe] Must be numerical" so I removed it from the list and continued with the move. Here is the resulting log file.

C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe moved successfully.
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe moved successfully.
C:\WINDOWS\ast_2to3_bp.exe moved successfully.
C:\WINDOWS\ast_4_bp.exe moved successfully.
C:\WINDOWS\gsi.exe moved successfully.
C:\WINDOWS\SYSTEM32\Xcite2.exe moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04122008_105445

Thank you.
Rorschach112
2008-04-12, 18:22
You need to delete this keygen

C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%
alphaj2
2008-04-12, 19:02
I couldn't find that path, so I deleted all of the files associated with that keygen. Thanks.
Rorschach112
2008-04-12, 20:25
Do this

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
alphaj2
2008-04-13, 04:53
Here is the log:

Explorer killed successfully
< C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100% >
File/Folder C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100% not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04122008_215127
Rorschach112
2008-04-13, 14:52
Ok, do this

Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.



@echo off
dir "C:\Documents and Settings\Justin Grubbs\My Documents">C:\peek.txt
start C:\peek.txt
del peek.bat


Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in peek.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find peek.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.
alphaj2
2008-04-13, 21:14
Here is the output file:

Volume in drive C has no label.
Volume Serial Number is 548B-316D

Directory of C:\Documents and Settings\Justin Grubbs\My Documents

04/13/2008 02:12 PM <DIR> .
04/13/2008 02:12 PM <DIR> ..
09/27/2006 09:41 PM 11,931 06091449.cab
12/03/2003 02:32 AM 30,208 06091449.dot
09/27/2006 09:50 PM 12,150 06368485.cab
10/30/2003 06:12 AM 29,696 06368485.dot
09/27/2006 09:50 PM 12,334 06369264.cab
12/03/2003 02:32 AM 25,088 06369264.dot
08/05/2007 01:45 PM 367,432 200212101113238901_SD-616T_F306.ZIP
10/29/2005 05:55 PM 481,612 2006-Bugatti-Veyron-W16-Engine-Cutaway-1920x1440.jpg
10/07/2003 05:39 PM 651 6 Months of AOL Included.lnk
09/13/2006 10:59 PM 2,855,080 aawsepersonal.exe
12/12/2004 02:28 AM 841 Ad-Aware SE Personal.lnk
12/13/2003 07:27 PM <DIR> Ad-aware.6.Pro.Build.181 + Extras
06/26/2004 11:53 PM 2,150,574 adaware6181.exe
10/07/2003 07:17 PM 16,251,072 AdbeRdr60_enu_full.exe
10/07/2003 07:18 PM 1,740 Adobe Reader 6.0.lnk
09/11/2005 12:28 AM 1,740 Adobe Reader 7.0.lnk
02/23/2005 09:51 PM 1,495,016 ahead - 2 nero 6 dvd-video plugin.exe
09/12/2004 01:46 AM 4,465,296 AIM 5.9 update.exe
10/30/2003 02:46 AM 199,104 album_pic.jpg
10/07/2003 05:38 PM 1,597 AOL Computer Check-Up.lnk
10/07/2003 05:38 PM 1,615 AOL Spyware Protection.lnk
08/29/2006 10:54 AM 1,005,136 aolsetup.exe
10/07/2003 05:38 PM 2,392,932 AOL_Quick_Reference_Guide.pdf
06/28/2004 03:52 PM 39,936 apa guide.doc
04/03/2006 05:14 PM 20,992 april06kungfuschedule.doc
05/07/2007 01:32 AM 2,090,016 aresregular209_installer.exe
07/13/2006 09:57 PM 980,350 armbreaking.wmv
10/19/2004 11:27 PM 30,720 arthistorypaperassignment.doc
07/14/2004 06:13 PM 25,600 Assign-Reading the Constitution.doc
11/10/2003 02:26 AM 2,860,328 AthleteScrnSvrpc.zip
07/19/2006 12:36 AM 1,651,200 AWorkshopinTwoParts.doc
09/13/2005 06:45 PM 30,699 badassmp3rock.nri
03/17/2005 04:01 PM 73,260,407 band in a box 2004 megapak.exe
12/20/2007 02:57 AM 1,684,480 Banquet[1].doc
11/26/2005 02:43 PM 28,268 BillOfSaleFord.pdf
01/09/2005 08:10 PM 4,990 black album.nra
10/03/2003 03:13 PM 1,671 Burn CDs & DVDs with RecordNow!.lnk
10/20/2006 08:41 PM 1,496,208 ccsetup134.exe
10/20/2006 09:03 PM 386,547 cc_20061020_2102.reg
10/29/2006 03:19 AM 25,524 cc_20061029_0219.reg
10/29/2006 03:20 AM 325 cc_20061029_0220.reg
12/29/2006 06:38 PM 22,287 cc_20061229_1738.reg
03/01/2007 01:22 AM 8,029 cc_20070301_0021.reg
09/18/2004 07:32 PM 3,080 CDBIDXL.DAT
04/25/2005 01:47 PM 23,040 chapter 26 eco terms.doc
04/25/2005 03:44 PM 22,528 chapter 28 eco terms.doc
02/17/2005 02:40 AM 28,672 chapter 4 eco terms.doc
04/26/2006 09:38 PM 57,555 chuck norris stuff.txt
07/13/2004 09:53 PM 22,016 claimofvalueonwork.doc
05/14/2006 11:31 PM 7,051 classic rock vol.1.nra
05/14/2006 11:35 PM 8,716 classic rock vol.2.nra
08/31/2005 12:10 AM 26,664 collegehumor.thatguy.jpg
02/18/2006 05:32 PM 31,135 collegehumorbanana.jpg
06/09/2006 06:04 PM 4,368 coltranejazz.nra
01/09/2007 04:16 PM 220,302 Contract2Hire.pdf
05/11/2004 04:42 AM <DIR> Corel User Files
04/09/2005 07:51 PM 210,083 corvette.jpg
03/27/2007 08:34 AM 110 criminal_history.url
08/05/2007 02:25 PM 1,677,824 CrystalPro.exe
10/26/2003 01:11 AM 3,651,752 csmg.exe
10/26/2003 12:54 AM 1,375,408 csmp.exe
10/25/2003 10:36 PM 4,775,136 csnbg.exe
02/23/2005 12:37 PM <DIR> CyberLink
05/28/2006 02:39 PM 965,343 danica_patrick_6.jpg
04/27/2005 10:25 PM 72,068 death.jpg
10/03/2003 03:16 PM 1,751 Dell Jukebox by musicmatch.lnk
06/27/2002 11:17 AM 603 Dell Picture Studio.lnk
10/03/2003 03:12 PM 1,859 Dell Support.lnk
10/28/2003 12:31 PM 85,424 destruction_1280.jpg
08/27/2007 06:56 PM 9,326,468 devcpp-4.9.9.2_setup.exe
08/08/2006 05:35 PM 25,703 Disco and Funk.nri
12/26/2007 03:05 AM 806 DivX Converter.lnk
12/26/2007 03:06 AM 1,265 DivX Movies.lnk
12/26/2007 03:05 AM 795 DivX Player.lnk
10/10/2003 02:06 AM 5,313,488 DivX51Bundle.exe
08/25/2007 09:19 PM 3,679,430 dlgsetup11_win.zip
04/28/2006 01:01 AM 9,038 doobieccr.nra
08/27/2004 01:22 AM 7,856,812 doom3.wmv
01/25/2004 05:02 PM <DIR> download
11/11/2003 07:27 PM 2,614 drag racer save.txt
07/30/2007 07:47 PM <DIR> Driver update for RADEON 9800 PRO
07/30/2007 07:45 PM <DIR> Driver update for RADEON 9800 PRO - Secondary
12/02/2003 01:35 AM 76,009 DSC_2730.jpg
02/23/2005 04:13 PM 1,221,050 dvd to divx vcd ripper v3 0 0 3+serial.exe
02/23/2005 04:14 PM 660 DVD TO DIVX VCD RIPPER.lnk
03/09/2005 11:56 PM 22,016 eco ch21 questions.doc
03/22/2005 02:49 AM 33,280 eco chapter 5 and 6 terms.doc
03/03/2005 01:14 AM 26,112 eco Chapter 6 Notes.doc
09/02/2006 12:54 PM 86,016 ee-flowchart.doc
03/09/2005 06:25 PM 10,752 Effectiveness of Prisons.ppt
10/28/2003 12:29 PM 25,474 elite_640.jpg
01/17/2005 01:54 AM 7,829 eminem encore1.nra
01/17/2005 01:55 AM 1,167 eminem encore2.nra
12/09/2003 03:19 AM 29,696 english-causal analysis.doc
10/30/2003 02:10 AM 27,136 english-informative essay.doc
09/03/2007 10:47 AM 3,748,544 ephpod277.exe
07/03/2003 04:21 PM 764,859 e_zwt.exe
08/18/2007 11:40 AM 1,604,958 fall07schedule.bmp
09/28/2004 10:48 AM 134,548 fall2004PKTroster.jpg
10/19/2004 11:26 PM 30,720 familyresearchassign2.doc
02/07/2005 03:59 PM 38,912 Fax.doc
02/03/2007 08:31 PM 31,744 FebruaryKungFuSchedule.doc
02/01/2008 04:14 PM 23,552 February_schedule_2008.doc
06/06/2005 07:36 PM 1,836 fg1.nri
06/06/2005 07:38 PM 1,225 fg10.nri
06/06/2005 07:38 PM 1,267 fg11.nri
06/06/2005 07:36 PM 1,666 fg2.nri
06/06/2005 07:37 PM 1,249 fg3.nri
06/06/2005 07:37 PM 1,419 fg4.nri
06/06/2005 07:37 PM 1,633 fg5.nri
06/06/2005 07:37 PM 1,238 fg6.nri
06/06/2005 07:37 PM 1,470 fg7.nri
06/06/2005 07:37 PM 1,849 fg8.nri
06/06/2005 07:38 PM 1,448 fg9.nri
11/12/2006 05:47 PM <DIR> filelib
03/18/2006 11:24 PM 5,175,696 Firefox Setup 1.5.0.1.exe
01/26/2007 12:56 AM 5,971,432 Firefox Setup 2.0.0.1.exe
10/30/2007 07:33 AM 1,606,584 FLVPlayer4Free_Setup.exe
11/24/2004 07:44 PM 1,512,609 FramePkg.exe
10/31/2003 07:37 PM 1,743,281 Game.zip
03/21/2003 02:33 PM 1,539 Get High Speed Internet!.lnk
01/16/2005 03:56 PM 6,242 godsmack.nra
11/13/2003 12:58 AM 451,136 GoogleToolbarInstaller.exe
03/28/2007 12:54 AM 22,528 gpaplan.doc
06/28/2005 10:18 PM 74,306 GwSetup.zip
10/28/2003 12:31 PM 445,350 h2earth_1280.jpg
10/28/2003 12:34 PM 218,740 h2_e3_06.jpg
10/28/2003 12:35 PM 205,803 h2_e3_07.jpg
10/28/2003 12:31 PM 163,022 halo2_trailer_1280.jpg
11/06/2005 02:00 AM 31,411 hardrockmp3.nri
12/04/2006 05:03 PM 51,200 HCC_Unofficial_Transcript.doc
08/11/2007 08:52 PM 23,773 hester.nri
09/13/2007 02:56 PM 47,104 HoustonScheduleupdateSept.2007.doc
09/28/2006 08:25 PM 492,782 image001.zip
10/16/2003 02:12 AM 25,088 Informative and Surprising Essay.doc
01/13/2004 11:35 PM 1,059,460 InstallLan2P076.exe
01/06/2004 12:36 AM 3,130,328 Install_AIM.exe
09/24/2004 03:04 PM 1,127,424 Install_SimUAid.exe
02/19/2005 01:19 PM 5,982,107 iPodder1.1.4.exe
01/19/2005 01:16 AM 41,204,592 iPodSetup.exe
10/22/2006 02:05 PM 12,188 ipod_1st_gen.jpg
08/05/2007 12:19 AM 50,005,304 iTunesSetup.exe
02/01/2005 01:54 AM 2,412 jack2.jpg
01/18/2004 02:27 AM 4,612 james_icon.gif
01/07/2006 06:15 PM 20,480 JanuarySchedule2006.doc
06/18/2006 11:47 PM 21,504 June06schedule.doc
12/09/2003 03:46 AM 27,648 justin essay.doc
01/11/2008 10:20 AM 29,696 Justin_Grubbs_resume.doc
03/20/2004 02:42 PM 4,056 kicker.gif
07/31/2007 06:46 PM 20,992 KungFuScheduleAugust.doc
07/04/2007 05:18 PM 20,992 KungFuSchedulejuly2007.doc
06/08/2007 01:31 PM 24,064 KungFuSchedulejune2007.doc
11/04/2006 12:14 PM 27,648 KungFuscheduleNov.doc
11/09/2007 11:16 AM 23,040 KungFuScheduleNov2007.doc
10/09/2007 10:16 PM 23,040 KungFuScheduleOct1st.doc
05/20/2007 02:45 PM 24,064 KungFuScheduleRemainingofMay07.doc
12/13/2001 08:43 AM 1,645 Learn XP.LNK
10/14/2003 02:57 PM 26,112 Letterofapology.doc
09/16/2006 08:34 PM 31,232 Level 3 test question answers.doc
03/24/2008 10:17 PM <DIR> LimeWire
03/24/2008 10:15 PM 4,559,800 LimeWireWin.exe
01/31/2005 10:27 PM 9,736 mactitle1.jpg
08/29/2006 10:54 AM 1,752 main.ini
11/29/2005 07:37 PM 13,060 martial arts movies.nri
07/04/2007 01:40 PM 27,648 MartialartsSeminarwithMasterBennyMengJuly07.doc
02/13/2005 09:28 PM <DIR> mcafee
11/07/2006 12:02 AM <DIR> McAfee Personal Firewall Plus 2004
02/13/2005 02:20 AM 5,683,455 mcafee personal firewall plus 2004.exe
02/13/2005 02:31 AM 22,441,617 mcafee.exe
12/03/2003 06:19 AM 1,654,354 mgv3_1.exe
07/29/2004 12:52 AM 451,072 Mi Abuelo.ppt
03/12/2006 06:44 PM 6,719 momsuckrock.nra
08/26/2005 09:49 PM 38,912 mom_fax_cover.doc
08/26/2005 09:27 PM 41,984 mom_resume.doc
08/18/2007 03:01 AM 2,223,653 mpc2kxp6490.zip
09/03/2002 08:55 AM 1,750 MSN Explorer.lnk
11/18/2007 09:05 PM <DIR> MultiSIM
09/10/2007 03:53 PM <DIR> My eBooks
10/10/2007 01:08 AM <DIR> My Music
03/02/2008 05:05 AM <DIR> My Pictures
07/31/2007 06:50 PM <DIR> My Videos
06/04/2004 01:28 PM 46,080 Myrel Courtney-Business Plan.ppt
02/17/2007 11:43 AM 153,088 Myrel Resume 09-06.doc
04/08/2007 05:36 PM 1,013,585 myrel UofH.zip
04/08/2007 06:32 PM 36,431 myrel.zip
01/19/2007 07:27 PM <DIR> MyTIData
12/21/2003 12:48 PM 2,360 NECDB.DAT
02/23/2005 09:42 PM <DIR> NeroVision
04/23/2004 12:55 PM 5,101 NETRKDB.DAT
02/13/2005 02:57 AM 5,677,288 network associates - 6 02 1063 - mcafee privacy service.exe
06/04/2006 04:34 PM 508,647 norris.gif
11/25/2007 02:46 PM <DIR> office xp
02/17/2005 01:53 PM 8,985 Offspring, RHCP, Big Tymers.nra
03/19/2008 09:40 AM 74,480 OPD-Justin P Grubbs.pdf
06/08/2004 04:01 PM 21,504 participant observation study.doc
10/13/2006 07:26 PM 255,488 PascoFall2006justinedit.xls
10/05/2004 05:17 PM 29,696 philosophyhume.doc
11/24/2004 09:42 PM 25,600 philosophypaper2.doc
04/12/2008 10:18 PM <DIR> pics
02/13/2005 02:41 AM 67,224 PlgSetup.exe
09/13/2006 11:02 PM 564,390 pltweakse.exe
08/12/2004 01:46 AM 1,622 PokerStars.LNK
08/12/2004 01:44 AM 3,284,224 PokerStarsInstall.exe
08/17/2005 01:44 AM 4,496,272 PokerStarsInstallTEST.exe
10/26/2003 06:06 PM 1,756 Pop-Up Control Center.lnk
10/26/2003 06:06 PM 809 Pop-Up Stopper Free Edition.lnk
02/23/2005 12:30 PM <DIR> Power DVD 5.0
02/23/2005 12:32 PM 1,684 PowerDVD.lnk
04/10/2007 10:56 PM 235,742 promissarynote41007.pdf
12/31/2003 02:29 AM 614,120 pxEngine507.exe
10/08/2003 05:30 PM 423,040 q812989.exe
02/09/2004 02:00 AM 1,237,888 qstp.exe
06/02/2005 10:15 PM 724 QuickTime Player.lnk
02/06/2005 03:57 AM 7,809 rammstein.nra
09/18/2004 09:27 PM 5,028 rap mom.nra
06/10/2006 04:19 PM 9,525 rapmp3.nri
01/15/2007 02:04 PM 96,455 RCDDposition.pdf
10/03/2003 03:17 PM 707 RealOne Player.lnk
02/01/2005 02:37 AM 10,479,136 RealPlayer10-5GOLD.exe
07/14/2004 12:11 AM 3,932,214 record.bmp
01/09/2005 05:20 PM 6,026 redlightdistrict.nra
09/27/2006 11:05 PM 29,184 resume cover letter.doc
10/03/2006 07:59 AM 38,912 resume-Grubbs_Justin_EE.doc
09/11/2006 05:53 PM 38,912 resume.doc
03/10/2005 11:07 PM 59,406 resume.pdf
09/13/2004 11:36 PM 3,683 Resume1.htm
10/24/2003 09:17 AM 8,405,533 RicochetSetup.exe
11/29/2005 12:02 PM 20,559 rock.nri
02/07/2005 03:30 PM 388,246 scan2.zip
09/05/2006 10:50 PM 26,624 September06Specialclasses.doc
09/11/2007 10:12 PM 21,504 SeptemberSchedule.doc
08/17/2007 10:09 AM 6,829,271 Setup_FreeConverter.exe
11/15/2006 05:43 PM 1,661,440 SifuBday.doc
06/09/2006 06:00 PM 8,689 softjazz.nra
10/03/2003 03:07 PM 1,681 Solution Center.lnk
05/03/2006 12:47 AM <DIR> sound card new drivers
01/30/2004 07:35 PM 452 spider.sav
10/07/2004 05:45 AM 945 Spybot - Search & Destroy.lnk
10/07/2004 05:44 AM 4,354,084 spybotsd13.exe
03/24/2008 02:38 AM 9,723,880 spybotsd152.exe
01/09/2005 05:42 PM 4,484 st. anger.nra
06/19/2004 02:47 AM 10,441,734 standardsetup.exe
05/01/2005 08:52 PM 201,893 stewie 1.jpg
05/01/2005 08:57 PM 95,257 stewie 2.jpg
05/01/2005 08:59 PM 497,390 stewie 3.jpg
04/02/2006 04:33 PM 19,968 subwoofer rebuild.doc
12/06/2005 07:22 PM 51,349 t4 poster.jpg
12/06/2005 07:23 PM 76,821 t4 poster2.JPG
09/18/2004 07:32 PM 2,056 TDBIDXL.DAT
01/10/2005 02:24 PM 8,034 tenacious-d.nra
08/12/2004 04:30 AM 22,528 terrorism.doc
07/27/2004 08:00 PM 22,528 Texas constitution.doc
01/19/2007 07:19 PM 18,725,888 TIConnectV1.6.exe
07/01/2004 09:47 AM 33,280 trail of tears paper.doc
02/14/2005 02:09 AM <DIR> Turbo Lister
11/24/2006 10:34 PM <DIR> Turbo Lister Backup
03/17/2006 09:41 PM 106,518 twinturbotang.jpg
04/06/2008 10:43 PM <DIR> UH
05/21/2003 03:21 PM 605 UHVPN.pcf
10/20/2004 12:27 AM 4,478,349 UHVPN_Client_Win.zip
11/01/2006 04:56 PM 10,526,056 uhvpn_client_win_46.exe
06/09/2006 06:08 PM 7,458 upbeatjazz.nra
12/27/2007 03:36 AM 46,080 Updatedscheduledecjan08.doc
12/13/2003 09:15 PM 1,058,011 vlc-0.4.1-win32.exe
03/04/2007 04:14 PM <DIR> Voyage
03/23/2007 10:27 PM 22,528 weightloss.xls
03/24/2007 12:12 AM 64,512 WeightWatch.xls
02/10/2004 12:17 AM 6,908,823 winamp502_snowpatrol.exe
08/25/2007 09:38 PM 4,458,698 WinDLG.zip
06/06/2005 10:43 AM 2,077,424 WindowsXP-KB894391-x86-ENU.exe
04/11/2005 02:57 AM 2,435 wingchun.JPG
04/11/2005 02:49 AM 3,832 wing_c1.jpg
02/09/2008 11:36 PM 186 WirelessSettings.txt
11/04/2006 12:24 PM 1,650,688 WomenselfdefenseHareKrishnaTemple(3)[1].doc
11/04/2006 12:29 PM 1,752,064 Womenselfdefenseladiesworkoutexpress.doc
02/11/2005 03:19 AM 8,911,456 wxp-w2k-8-10-050119a-020581c.exe
11/25/2005 02:14 PM 7,042,540 x-video-converter-cnet.exe
05/13/2005 06:37 PM 208,595 xbox360_wallpaper_1024x768.jpg
11/26/2005 05:41 PM 868 Xilisoft 3GP Video Converter.lnk
08/05/2007 02:21 PM 366,650 XviD-1.1.2-01022007.exe
08/18/2007 02:35 AM 1,142,832 zp403std.exe
02/10/2004 01:51 AM 196,234 [ CD and DVD Appz ] Nero MPEG2 Video Codec Plugin.exe
257 File(s) 468,345,826 bytes
27 Dir(s) 26,686,758,912 bytes free
Rorschach112
2008-04-14, 17:53
Ok post a new HijackThis log and tell me how your PC is running
alphaj2
2008-04-14, 18:39
The new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:12 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Justin Grubbs\lsass.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Justin Grubbs\lsass.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10598 bytes

My PC is running like new, It seems as though I don't have any problems and from what I can tell, new .dll files aren't spontaneously appearing in my system32 folder like they were.
Rorschach112
2008-04-18, 01:43
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Justin Grubbs\lsass.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Click Start > Run > Copy and paste the following in bold sc delete NTSVCMGR > Click ok



Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Documents and Settings\Justin Grubbs\lsass.exe
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and post a new HijackThis log
alphaj2
2008-04-18, 11:56
Here is the OTMoveIt2 log:

Explorer killed successfully
File/Folder C:\Documents and Settings\Justin Grubbs\lsass.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04172008_222402


and the Anti-Malware log:

Malwarebytes' Anti-Malware 1.11
Database version: 646

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 161284
Time elapsed: 1 hour(s), 31 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{7961702e-4d6c-4578-982e-ddb0b0e58028} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0418f3e3-c763-4e02-9ec5-f0ae13b54b0f} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e36e190-77f9-48a1-b0f3-5698425cee9b} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0e010ce6-25f7-436f-baee-5a646b31b9bf} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\InsertSmile.DLL (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\OutlookSmile.OutlookSmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\WordSmile.WordSmile (Adware.SmileyDistrict) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{0418f3e3-c763-4e02-9ec5-f0ae13b54b0f} (Adware.SmileyDistrict) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Justin Grubbs\apache.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin Grubbs\My Documents\iPodder1.1.4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uninstall.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000596.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\04122008_105445\WINDOWS\gsi.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Thank you.
Rorschach112
2008-04-18, 13:46
Post a new HijackThis log and tell me how your PC is running
alphaj2
2008-04-19, 00:42
My computer seems fine, I am wondering if you can still help me with preventing the system32 folder from opening on startup. The new HijackThis log file follows. Thank you.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:11 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10093 bytes
Rorschach112
2008-04-21, 02:09
Not sure what is causing that. Few things to do

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png





Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.
Rorschach112
2008-04-21, 15:33
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.