PDA

View Full Version : Virtumonde & Command Service



grilledcheese
2008-08-01, 21:27
Hi, I just recently came across the the Trojan "Virtumonde" while scanning, and malware "Command Service", I currently running SB-S&D as i write this, but i need advice on getting rid of these if SP-S&D does not. Thanks for any help in advance. So here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:06 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\New Music Folder\Movie Making Crap\DVD Flick\dvdflick.exe
C:\New Music Folder\Movie Making Crap\DVD Flick\bin\ffmpeg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {FFD6B976-50EA-5E6A-9912-0CE52F1C12C5} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [9c9471bb] rundll32.exe "C:\WINDOWS\system32\gxrnlkyv.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O20 - AppInit_DLLs: rwgrwk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QQ\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8713 bytes

Blade81
2008-08-06, 08:59
Hi

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

grilledcheese
2008-08-06, 18:34
Hello and Thank You Blade for you time and help

Here's The ComboFix Log:

ComboFix 08-08-04.09 - A 2008-08-06 11:03:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.802 [GMT -4:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\A\Application Data\inst.exe
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com\ud.sol
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\A\Application Data\SKS~1
C:\Documents and Settings\A\Application Data\TSKS~1
C:\Documents and Settings\A\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Documents and Settings\A\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe
C:\Program Files\Common Files\{3C947~1
C:\Program Files\Common Files\{9C947~1
C:\Program Files\oin search
C:\Program Files\oin search\OINSearch.dll
C:\Program Files\oin search\Uninstall.exe
C:\Program Files\outlook
C:\Program Files\winupdates
C:\WINDOWS\QQ\
C:\WINDOWS\QQ\\kk.vbs
C:\WINDOWS\system32\byXOhIBS.dll
C:\WINDOWS\system32\cnnlre.dll
C:\WINDOWS\system32\crnkpxna.ini
C:\WINDOWS\system32\dyapgu.dll
C:\WINDOWS\system32\fmqrgqgw.dll
C:\WINDOWS\system32\gwlxfvwn.ini
C:\WINDOWS\system32\hecqirkf.ini
C:\WINDOWS\system32\hgGwUoMf.dll
C:\WINDOWS\SYSTEM32\ilhsknxy.ini
C:\WINDOWS\system32\Kjlnpqru.ini
C:\WINDOWS\SYSTEM32\Kjlnpqru.ini2
C:\WINDOWS\system32\lmkgktuy.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mggktnhu.dll
C:\WINDOWS\system32\mjsswnqi.dll
C:\WINDOWS\system32\nguhdwcd.dll
C:\WINDOWS\SYSTEM32\nmkfibad.ini
C:\WINDOWS\system32\nuogzu.dll
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\SYSTEM32\tmfhkvnf.ini
C:\WINDOWS\system32\tuvVLdaa.dll
C:\WINDOWS\system32\vjofkj.dll
C:\WINDOWS\system32\vyklnrxg.ini
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\W?nSxS\
C:\WINDOWS\system32\xekqzw.dll
C:\WINDOWS\system32\xxyYoOif.dll
C:\WINDOWS\system32\yayvWqpP.dll
C:\WINDOWS\system32\yayXQGVn.dll
C:\WINDOWS\system32\ywpgueor.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService


((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 10:22 . 2008-08-06 10:22 99,712 --a--c--- C:\WINDOWS\SYSTEM32\yxnkshli.dll
2008-08-05 14:31 . 2008-08-05 14:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49 . 2008-08-03 17:49 <DIR> d----c--- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31 . 2008-08-05 17:43 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-03 10:09 . 2008-08-03 10:09 130,432 --a--c--- C:\WINDOWS\SYSTEM32\nfwtgdcs.dll
2008-08-03 10:09 . 2008-08-03 10:09 130,432 --a------ C:\WINDOWS\SYSTEM32\ltinqe.dll
2008-08-02 15:36 . 2008-08-02 15:36 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-08-02 10:10 . 2008-08-02 10:10 130,432 --a------ C:\WINDOWS\SYSTEM32\zmiizg.dll
2008-08-02 10:10 . 2008-08-02 10:10 130,432 --a--c--- C:\WINDOWS\SYSTEM32\nncowaip.dll
2008-08-02 10:07 . 2008-08-02 10:07 98,688 --a--c--- C:\WINDOWS\SYSTEM32\anxpknrc.dll
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\A\Application Data\AVS4YOU
2008-08-01 18:22 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17 . 2008-08-01 18:17 <DIR> d----c--- C:\Documents and Settings\A\Application Data\ImgBurn
2008-08-01 16:22 . 2008-08-01 16:22 3,072 --ahsc--- C:\Thumbs.db
2008-08-01 13:19 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-08-01 13:19 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-08-01 13:19 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-08-01 13:19 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon_handler.ocx
2008-07-31 15:32 . 2008-08-01 12:24 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32 . 2008-07-31 15:32 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-07-31 15:32 . 2008-08-01 12:24 47,360 --a--c--- C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-07-31 10:06 . 2008-07-31 10:06 294 --ahs---- C:\WINDOWS\SYSTEM32\kltyxlyt.ini
2008-07-30 04:00 . 2008-07-30 04:00 323,584 --a------ C:\WINDOWS\SYSTEM32\urqpnljK.dll
2008-07-30 03:51 . 2008-07-30 03:51 65,536 ---hsc--- C:\Documents and Settings\A\MediaTubeCodec_ver1.1463.0.exe
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Program Files\Sun
2008-07-16 18:06 . 2008-07-16 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 15:15 7,304 ----a-w C:\WINDOWS\TMP0001.TMP
2008-08-06 14:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-06 10:25 --------- dc----w C:\Documents and Settings\A\Application Data\BitTorrent
2008-08-05 14:16 --------- d-----w C:\Program Files\McAfee
2008-08-04 17:21 --------- d-----w C:\Program Files\Lx_cats
2008-08-01 20:23 --------- d-----w C:\Program Files\Tortun
2008-08-01 15:34 --------- d-----w C:\Program Files\Sony
2008-08-01 15:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 21:34 --------- d-----w C:\Program Files\Google
2008-07-31 20:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 20:30 --------- dc-h--w C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 20:27 --------- d-----w C:\Program Files\DriftCity
2008-07-31 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-07-31 20:01 --------- dc-h--r C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 19:58 --------- d-----w C:\Program Files\Java
2008-07-30 18:41 --------- dc----w C:\Documents and Settings\A\Application Data\Atari
2008-07-30 08:03 --------- d-----w C:\Program Files\BitTorrent
2008-07-29 12:02 74,040 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 22:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-16 02:29 --------- d-----w C:\Program Files\World of Warcraft
2008-07-06 11:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-16 10:32 --------- dc----w C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-15 01:31 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-08-17 11:54 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-21 04:14 78,791 -c--a-w C:\Program Files\KBot.iss
2007-05-08 08:43 188,511 -c--a-w C:\Documents and Settings\A\test.exe
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\XUnleashedGUI.dll
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\rrnfu.dll
2007-05-08 08:42 450,560 -c--a-w C:\Documents and Settings\A\DX9Test.exe
2007-05-08 08:42 327,168 -c--a-w C:\Documents and Settings\A\XUnleashed.exe
2007-05-08 08:42 326,656 -c--a-w C:\Documents and Settings\A\XUnleashedControls.dll
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\XUnleashedTest.exe
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\kipih.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\XUStealthDriver.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\DX8Test.exe
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\XUnleashed.dll
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\ubgoe.dll
2006-12-11 21:07 3,320 -c--a-w C:\Documents and Settings\A\Application Data\wklnhst.dat
2005-12-13 15:02 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS

2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE

2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27FE8B44-94FE-4E26-8C24-DC560DD1B835}]
2008-07-30 04:00 323584 --a------ C:\WINDOWS\system32\urqpnljK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [2008-05-22 09:59 156944]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 02:07 200704]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 13:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-03 13:55 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 02:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"9c9471bb"="C:\WINDOWS\system32\yxnkshli.dll" [2008-08-06 10:22 99712]
"kkw_run.exe"="kkw_run.exe" [2005-12-15 16:00 106496 C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 10:43 118784 C:\WINDOWS\SYSTEM32\kmw_run.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rwgrwk.dll zmiizg.dll ltinqe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"=
"C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe"=
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Filetopia3\\Filetopia.exe"=
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"=
"C:\\Program Files\\Tortun\\gui.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys [2005-12-01 14:17]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2005-09-01 10:41]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2005-09-01 10:41]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2005-09-01 10:41]
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2005-08-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{FFD6B976-50EA-5E6A-9912-0CE52F1C12C5} - (no file)
HKCU-Run-Vidalia - C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-MSWheel - (no file)
HKU-Default-Run-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\A\Application Data\Mozilla\Firefox\Profiles\gu7b4wtp.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www6.comcast.net/a/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 11:16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ilhsknxy.ini 1382137 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\kmw_show.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-08-06 11:24:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 15:24:08

Pre-Run: 6,427,938,816 bytes free
Post-Run: 7,466,651,648 bytes free

295 --- E O F --- 2008-07-09 00:02:14

Here's HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:49 AM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\New Music Folder\FIX\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [9c9471bb] rundll32.exe "C:\WINDOWS\system32\yxnkshli.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O20 - AppInit_DLLs: rwgrwk.dll zmiizg.dll ltinqe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8002 bytes

Blade81
2008-08-06, 20:13
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Documents and Settings\A\Application Data\BitTorrent
C:\Program Files\BitTorrent

Empty Recycle Bin.

After that:

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

grilledcheese
2008-08-07, 18:51
Hello again, and many thanks for help

Note: I also removed Frostwire, as you had not metioned but i went ahead and got rid of it.


Deckard's System Scanner v20071014.68
Run by A on 2008-08-07 11:44:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
15: 2008-08-07 15:44:21 UTC - RP703 - Deckard's System Scanner Restore Point
14: 2008-08-06 15:31:28 UTC - RP702 - Last known good configuration
13: 2008-08-06 15:31:19 UTC - RP701 - ComboFix created restore point
12: 2008-08-06 15:31:19 UTC - RP700 - System Checkpoint
11: 2008-08-06 15:31:19 UTC - RP699 - Removed Vanguard: Saga of Heroes


-- First Restore Point --
1: 2008-08-06 15:31:18 UTC - RP689 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 8.15 GiB (less than 15%) free.


-- HijackThis (run as A.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:43 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\A\Desktop\dss.exe
C:\NEWMUS~1\FIX\TRENDM~1\HIJACK~1\A.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {8fbfef32-ba28-2fba-9244-a136ee42f124} - {421f24ee-631a-4429-abf2-82ab23fefbf8} - C:\WINDOWS\system32\tlhdip.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {720926B8-1158-4B0E-BDFC-206655835EF6} - C:\WINDOWS\system32\urqpnljK.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\SYSTEM32\TwcToolbarBho.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [9c9471bb] rundll32.exe "C:\WINDOWS\system32\evjcwagk.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O20 - AppInit_DLLs: rwgrwk.dll zmiizg.dll ltinqe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8455 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys <Not Verified; Jungo; WinDriver Device Driver>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 KKW_HID (Kensington HIDClass Filter Driver) - c:\windows\system32\drivers\kkw_hid.sys <Not Verified; Kensington Technology Group; KKW>
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 MR97310_USB_DUAL_CAMERA (MR97310 CIF Dual Mode Camera) - c:\windows\system32\drivers\mr97310c.sys <Not Verified; Mars Semiconductor Corp.; USB Dual-Mode Camera>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 QCDonner (Logitech QuickCam Express) - c:\windows\system32\drivers\ovcd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R3 lxcg_device - c:\windows\system32\lxcgcoms.exe -service <Not Verified; ; Printer Communication System>

S3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 x10nets (X10 Device Network Service) - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-01 01:00:00 334 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-07-15 01:20:00 342 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2005-08-15 09:01:14 356 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 11:32:37 99200 --a----c- C:\WINDOWS\system32\evjcwagk.dll
2008-08-07 11:32:32 120448 --a------ C:\WINDOWS\system32\tlhdip.dll
2008-08-07 11:32:32 120448 --a----c- C:\WINDOWS\system32\mcsofvbm.dll
2008-08-06 11:32:05 99712 -------c- C:\WINDOWS\system32\bsxtxqgy.dll
2008-08-06 11:32:01 121472 --a------ C:\WINDOWS\system32\mjjugj.dll
2008-08-06 11:32:00 121472 --a----c- C:\WINDOWS\system32\vcbyyubu.dll
2008-08-06 11:31:07 528156 --ahs---- C:\WINDOWS\system32\Kjlnpqru.ini2
2008-08-06 11:00:22 68096 --a------ C:\WINDOWS\zip.exe
2008-08-06 11:00:22 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-06 11:00:22 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-06 11:00:22 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-06 11:00:22 98816 --a------ C:\WINDOWS\sed.exe
2008-08-06 11:00:22 80412 --a------ C:\WINDOWS\grep.exe
2008-08-06 11:00:22 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-06 11:00:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 14:31:48 0 d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49:54 0 d------c- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31:09 0 d-------- C:\Program Files\PeerGuardian2
2008-08-03 10:09:53 130432 --a----c- C:\WINDOWS\system32\nfwtgdcs.dll
2008-08-03 10:09:53 130432 --a------ C:\WINDOWS\system32\ltinqe.dll
2008-08-02 15:36:26 0 d-------- C:\Program Files\WinAVI Video Converter
2008-08-02 10:10:48 130432 --a------ C:\WINDOWS\system32\zmiizg.dll
2008-08-02 10:10:47 130432 --a----c- C:\WINDOWS\system32\nncowaip.dll
2008-08-02 10:07:49 98688 --a----c- C:\WINDOWS\system32\anxpknrc.dll
2008-08-01 18:27:42 0 d------c- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:22:10 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17:23 0 d------c- C:\Documents and Settings\A\Application Data\ImgBurn
2008-07-31 15:32:40 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-31 15:32:40 0 d------c- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32:40 47360 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-30 04:00:29 323584 --a------ C:\WINDOWS\system32\urqpnljK.dll
2008-07-20 00:35:23 0 d-------- C:\Program Files\Sun
2008-07-16 18:06:06 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-08-06 11:09:31 0 d-------- C:\Program Files\Common Files
2008-08-05 10:16:38 0 d-------- C:\Program Files\McAfee
2008-08-04 13:21:31 0 d-------- C:\Program Files\Lx_cats
2008-08-01 16:23:58 0 d-------- C:\Program Files\Tortun
2008-08-01 12:24:24 33 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.log
2008-08-01 12:24:22 1144 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.inf
2008-08-01 12:24:22 7887 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.cat
2008-08-01 12:22:58 668 --a----c- C:\Documents and Settings\A\Application Data\vso_ts_preview.xml
2008-08-01 11:34:27 0 d-------- C:\Program Files\Sony
2008-08-01 11:30:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-31 17:34:55 0 d-------- C:\Program Files\Google
2008-07-31 16:57:39 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 16:30:39 0 d--h---c- C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 16:27:25 0 d-------- C:\Program Files\DriftCity
2008-07-31 16:02:19 0 d-------- C:\Program Files\Yahoo!
2008-07-31 16:01:10 0 dr-h---c- C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 15:58:19 0 d-------- C:\Program Files\Java
2008-07-30 14:41:51 0 d------c- C:\Documents and Settings\A\Application Data\Atari
2008-07-29 08:02:45 74040 --a----c- C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 18:06:06 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-15 22:29:06 0 d-------- C:\Program Files\World of Warcraft
2008-07-06 07:40:49 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-16 06:32:38 0 d------c- C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-14 21:31:31 0 d------c- C:\Documents and Settings\A\Application Data\Mozilla
2008-06-14 21:31:23 0 d-------- C:\Program Files\Octoshape Streaming Services


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{421f24ee-631a-4429-abf2-82ab23fefbf8}]
08/07/2008 11:32 AM 120448 --a------ C:\WINDOWS\system32\tlhdip.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{720926B8-1158-4B0E-BDFC-206655835EF6}]
07/30/2008 04:00 AM 323584 --a------ C:\WINDOWS\system32\urqpnljK.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [06/15/2004 10:17 PM]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [07/21/2005 02:07 AM]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [07/20/2005 01:48 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/03/2007 01:55 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/09/2007 02:57 AM]
"kkw_run.exe"="kkw_run.exe" [12/15/2005 04:00 PM C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [09/01/2005 10:43 AM C:\WINDOWS\SYSTEM32\kmw_run.exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"9c9471bb"="C:\WINDOWS\system32\evjcwagk.dll" [08/07/2008 11:32 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [05/22/2008 09:59 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

C:\Documents and Settings\A\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [8/10/2004 3:04:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=rwgrwk.dll zmiizg.dll ltinqe.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqpnljK

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=




-- End of Deckard's System Scanner: finished at 2008-08-07 11:46:49 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 1534.07 MiB / 1052.42 MiB
Pagefile Memory (total/avail): 2153.94 MiB / 1780.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.78 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 70.9 GiB total, 8.15 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380013AS - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 70.9 GiB - C:
\PARTITION2 - Unknown - 3.55 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1125697262\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125697262\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\World of Warcraft\\WoW.exe"="C:\\Program Files\\World of Warcraft\\WoW.exe:*:Enabled:World of Warcraft"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:World of Warcraft"
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"="C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe:*:Enabled:EverQuest"
"C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe"="C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe:*:Enabled:EverQuest II"
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"="C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe:*:Enabled:Flyff"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Filetopia3\\Filetopia.exe"="C:\\Program Files\\Filetopia3\\Filetopia.exe:*:Enabled:Filetopia"
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"="C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe:*:Enabled:Chromosome No.47, by Faldo"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"="C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\keyclone\\keyclone.exe"="C:\\Program Files\\keyclone\\keyclone.exe:*:Enabled:keyclone"
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"="C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe:*:Enabled:Kensington Digital Update of installed software via the Web."
"C:\\Program Files\\Tortun\\gui.exe"="C:\\Program Files\\Tortun\\gui.exe:*:Enabled:gui"
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"="C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe:*:Enabled:Main program for Octoshape client"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\A\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D27CPF61
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\A
LOGONSERVER=\\D27CPF61
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\COMMON~1\SONICS~1;C:\Program Files\ATI Technologies\ATI.ACE
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\A\LOCALS~1\Temp
TMP=C:\DOCUME~1\A\LOCALS~1\Temp
USERDOMAIN=D27CPF61
USERNAME=A
USERPROFILE=C:\Documents and Settings\A
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

A (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Program\Ctzapxx.EXE" /X /U /S
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec /X{82D8304F-73D7-4EE6-8472-D0684BAA2865}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /X{69495273-FCDC-4A86-BCB7-49B504D3FB0E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC Tool --> C:\PROGRA~1\ACTOOL~1\UNWISE.EXE C:\PROGRA~1\ACTOOL~1\INSTALL.LOG
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AGEIA PhysX v7.05.06 --> MsiExec.exe /X{82D8304F-73D7-4EE6-8472-D0684BAA2865}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AMUST Registry Cleaner --> "C:\Program Files\AMUST\Registry Cleaner\unins000.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{7B76034B-B3ED-46D5-8C66-DEB102CB830A}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EDE28287-D32C-415E-9C97-2BF9F9260150} /l1033
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Multimedia Center 9.01 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033
ATI Remote Wonder 2.5 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8F36E44A-E6E7-41B7-B6F6-4637BF84EFA5} /l1033
AutoIt v3.2.4.9 --> C:\Program Files\AutoIt3\Uninstall.exe
Browser MOUSE --> C:\Program Files\Browser MOUSE\uninst00.exe
Camera Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D1B3874F-3057-11D6-B2EA-0050BA18806B}\Setup.exe"
Cheat Engine 5.2 --> "C:\Program Files\Cheat Engine5.2\unins000.exe"
Cheat Engine 5.3 --> "C:\Program Files\Cheat Engine\unins001.exe"
CodeStuff Starter --> "C:\Program Files\CodeStuff\Starter\unStarter.exe"
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Command On Demand for Command Software --> rundll32 advpack.dll,LaunchINFSection C:\csscod\uninst.inf,DefaultUninstall
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Cosmo Player 2.1.1 (41451) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CosmoSoftware\CosmoPlayer\CosmoPlayer211.isu"
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support 5.0.0 (630) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EQ2MAP Updater 1.0.6 --> C:\Program Files\Sony\EverQuest II\Eq2maps\EQ2MAP Updater\uninst.exe
EverQuest II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EE39B32-BA05-433C-BC0D-35797518A3A5}\ISInst.exe" -l0x9
EverQuest Platinum --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A007D3BA-1C94-4286-A0F7-507417495DF7}\setup.exe" -l0x9
Filetopia Client v3.04d --> C:\PROGRA~1\FILETO~1\UNWISE.EXE C:\PROGRA~1\FILETO~1\INSTALL.LOG
Freedom Security & Privacy --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{6CF0D732-8F97-489D-A704-2211D7ACC5D9}
Generations® Beginner's Edition 8 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A4BBC64-1207-11D4-93E4-00105A27284D}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ijji Auto Installer --> "C:\Program Files\InstallShield Installation Information\{1DCC7418-2089-4BDD-B321-3771956160FC}\setup.exe" -runfromtemp -l0x0009 -removeonly
ijji FireFox Launcher 1.0 --> C:\Documents and Settings\All Users\Application Data\IJJIGame\uninst.exe
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
ISXVG 20070425.0004 --> C:\Program Files\InnerSpace\Uninstall-ISXVG.exe
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kensington Keyboard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B5E17D7-C0CF-4CC3-8870-0181D622B93C}\setup.exe" -l0x9 -u
Kensington MouseWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C78937F-0C8E-11D9-A3EB-0001025FA304}\setup.exe" -l0x9 -u
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark 2300 Series --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcgUNST.EXE -NOLICENSE
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Script Debugger --> RunDll32 advpack.dll,LaunchINFSection C:\Program Files\Microsoft Script Debugger\ScrptDbg.inf, Uninstall.NT
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpfull.inf,WebPostUninstall
Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe D:\
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Octoshape Streaming Services --> C:\Program Files\Octoshape Streaming Services\A\uninst.exe
OIN Search --> C:\Program Files\OIN Search\Uninstall.exe
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Personal Ancestral File 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D94A8E22-DF2B-4107-9E51-608A60A7671D}\Setup.exe"
Personal Ancestral File Companion 5.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91AFACB3-CA46-4C1E-AF2D-F72EE0B112E4}\setup.exe" -l0x9 -uninst -removeonly
PowerDVD 5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Real Alternative 1.45 --> "C:\Program Files\Real Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sound Blaster Live! 24-bit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB481CC-F57C-4397-81A0-DADD22257047}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab --> C:\Program Files\Common Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
The Weather Channel Toolbar --> C:\PROGRA~1\THEWEA~2\UNWISE.EXE C:\PROGRA~1\THEWEA~2\twcINSTALL.LOG
Tortun 0.76 --> "C:\Program Files\Tortun\unins000.exe"
USB-IDE Bridge Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5EAEF66-8B0A-11D4-829A-0050BA025CC8}\Setup.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Westwood Shared Internet Components --> C:\Westwood\Internet\UnstllAP.EXE
WinAVI Video Converter --> "C:\Program Files\WinAVI Video Converter\unins000.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil


-- Application Event Log -------------------------------------------------------

Event Record #/Type7647 / Error
Event Submitted/Written: 08/07/2008 01:54:44 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application realplay.exe, version 6.0.12.1509, faulting module rjbdll.dll, version 1.0.4.2521, fault address 0x00075c26.
Processing media-specific event for [realplay.exe!ws!]

Event Record #/Type7633 / Warning
Event Submitted/Written: 08/06/2008 06:35:14 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type7630 / Error
Event Submitted/Written: 08/06/2008 04:56:33 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Office XP Professional with FrontPage -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.

Event Record #/Type7629 / Warning
Event Submitted/Written: 08/06/2008 04:55:52 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90280409-6000-11D3-8CFE-0050048383C9}', feature 'WORDFiles' failed during request for component '{8E46FEFA-D973-6294-B305-E968CEDFFCB9}'

Event Record #/Type7628 / Warning
Event Submitted/Written: 08/06/2008 04:55:52 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90280409-6000-11D3-8CFE-0050048383C9}', feature 'WORDFiles', component '{9C1249C6-4DDB-4A48-BC9F-4AF8D1291AE1}' failed. The resource 'C:\Program Files\Microsoft ActiveSync\RICHINK.DLL' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9746 / Warning
Event Submitted/Written: 08/07/2008 09:39:47 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9745 / Warning
Event Submitted/Written: 08/07/2008 08:35:20 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type9744 / Warning
Event Submitted/Written: 08/07/2008 08:29:35 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type9743 / Error
Event Submitted/Written: 08/07/2008 08:00:51 AM
Event ID/Source: 10001 / DCOM
Event Description:
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\mdm.exe -Embedding

Event Record #/Type9742 / Error
Event Submitted/Written: 08/07/2008 08:00:48 AM
Event ID/Source: 10001 / DCOM
Event Description:
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\mdm.exe -Embedding



-- End of Deckard's System Scanner: finished at 2008-08-07 11:46:49 ------------

Blade81
2008-08-07, 19:05
Hi


Start hjt, do a system scan, check:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\bsxtxqgy.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\zmiizg.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\urqpnljK.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{421f24ee-631a-4429-abf2-82ab23fefbf8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{720926B8-1158-4B0E-BDFC-206655835EF6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9c9471bb"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

grilledcheese
2008-08-08, 17:25
Hello.

Note: When I started HJT it asked if it could update, so i allowed it and clicked Yes, I dont know if that had an effect on the outcome of the log, but I thought I let you know.

Also the Kaspersky Online Scanner kept saying this -
"Please wait to update the virus definitions...
Kaspersky Online Scanner license has expired!"
and will not go any further. So I don't know what to do about that.

And my brother installed all these "Anti-Malware" programs over night with my me knowing, but he did not do any fixes, because they are "free versions" and want money to upgrade to fix them.

Sorry if I made things harder on your part. Many aplogizes on my part.
But here's the HJT Log.
------------------------------------------------------------------------
ComboFix 08-08-08.01 - A 2008-08-08 9:27:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1016 [GMT -4:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\A\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\bsxtxqgy.dll
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\urqpnljK.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\zmiizg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com\ud.sol
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\SYSTEM32\ilhsknxy.ini
C:\WINDOWS\SYSTEM32\kgawcjve.ini
C:\WINDOWS\SYSTEM32\Kjlnpqru.ini
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\urqpnljK.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\ygqxtxsb.ini
C:\WINDOWS\system32\zmiizg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-08 09:39 . 2008-08-08 09:39 344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpfr2.cfg
2008-08-08 09:07 . 2008-08-08 09:07 63 --a------ C:\WINDOWS\av_affiliate.ini
2008-08-08 09:07 . 2008-08-08 09:07 43 --a------ C:\WINDOWS\as_affiliate.ini
2008-08-08 08:56 . 2008-08-08 09:38 201,320 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys.szcpf
2008-08-08 02:56 . 2008-08-08 02:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-08 02:56 . 2008-08-08 02:56 <DIR> d----c--- C:\Documents and Settings\A\Application Data\PC Tools
2008-08-08 02:56 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-08-08 02:56 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-08-08 02:56 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-08-08 02:56 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-08-08 02:51 . 2008-08-08 02:51 <DIR> d-------- C:\Program Files\CyberDefender
2008-08-07 19:15 . 2008-08-07 19:15 <DIR> d-------- C:\Program Files\Panicware
2008-08-07 18:24 . 2008-08-08 09:41 4,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpcpy.cfg
2008-08-07 18:23 . 2008-08-08 08:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\STOPzilla!
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-07 18:21 . 2008-08-08 09:42 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-07 11:43 . 2008-08-07 11:43 <DIR> d----c--- C:\Deckard
2008-08-05 14:31 . 2008-08-05 14:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49 . 2008-08-03 17:49 <DIR> d----c--- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31 . 2008-08-07 18:06 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-02 15:36 . 2008-08-02 15:36 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:22 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17 . 2008-08-01 18:17 <DIR> d----c--- C:\Documents and Settings\A\Application Data\ImgBurn
2008-08-01 16:22 . 2008-08-01 16:22 3,072 --ahsc--- C:\Thumbs.db
2008-08-01 13:19 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-08-01 13:19 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-08-01 13:19 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-08-01 13:19 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon_handler.ocx
2008-07-31 15:32 . 2008-08-01 12:24 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32 . 2008-07-31 15:32 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-07-31 15:32 . 2008-08-01 12:24 47,360 --a--c--- C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-07-31 10:06 . 2008-07-31 10:06 294 --ahs---- C:\WINDOWS\SYSTEM32\kltyxlyt.ini
2008-07-30 03:51 . 2008-07-30 03:51 65,536 ---hsc--- C:\Documents and Settings\A\MediaTubeCodec_ver1.1463.0.exe
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Program Files\Sun
2008-07-16 18:06 . 2008-07-16 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 13:38 7,304 ----a-w C:\WINDOWS\TMP0001.TMP
2008-08-08 13:07 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-06 14:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-05 14:16 --------- d-----w C:\Program Files\McAfee
2008-08-04 17:21 --------- d-----w C:\Program Files\Lx_cats
2008-08-01 20:23 --------- d-----w C:\Program Files\Tortun
2008-08-01 15:34 --------- d-----w C:\Program Files\Sony
2008-08-01 15:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 21:34 --------- d-----w C:\Program Files\Google
2008-07-31 20:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 20:30 --------- dc-h--w C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 20:27 --------- d-----w C:\Program Files\DriftCity
2008-07-31 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-07-31 20:01 --------- dc-h--r C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 19:58 --------- d-----w C:\Program Files\Java
2008-07-30 18:41 --------- dc----w C:\Documents and Settings\A\Application Data\Atari
2008-07-29 12:02 74,040 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 22:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-16 02:29 --------- d-----w C:\Program Files\World of Warcraft
2008-07-06 11:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 10:32 --------- dc----w C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-15 01:31 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-17 11:54 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-21 04:14 78,791 -c--a-w C:\Program Files\KBot.iss
2007-05-08 08:43 188,511 -c--a-w C:\Documents and Settings\A\test.exe
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\XUnleashedGUI.dll
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\rrnfu.dll
2007-05-08 08:42 450,560 -c--a-w C:\Documents and Settings\A\DX9Test.exe
2007-05-08 08:42 327,168 -c--a-w C:\Documents and Settings\A\XUnleashed.exe
2007-05-08 08:42 326,656 -c--a-w C:\Documents and Settings\A\XUnleashedControls.dll
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\XUnleashedTest.exe
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\kipih.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\XUStealthDriver.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\DX8Test.exe
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\XUnleashed.dll
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\ubgoe.dll
2006-12-11 21:07 3,320 -c--a-w C:\Documents and Settings\A\Application Data\wklnhst.dat
2005-12-13 15:02 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS

2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE

2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-06_11.23.21.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-08-08 09:44:30 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-08 09:44:30 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-08 09:44:30 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-13 14:03:58 34,432 ----a-r C:\WINDOWS\SYSTEM32\DRIVERS\SZKG.sys
+ 2008-06-26 14:50:04 708,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Base5.dll
+ 2008-06-26 14:56:46 364,544 ----a-r C:\WINDOWS\SYSTEM32\IS3DBA5.dll
+ 2008-06-26 14:55:36 61,440 ----a-r C:\WINDOWS\SYSTEM32\IS3Hks5.dll
+ 2008-06-26 14:56:58 126,976 ----a-r C:\WINDOWS\SYSTEM32\IS3HTUI5.dll
+ 2008-06-26 14:54:20 94,208 ----a-r C:\WINDOWS\SYSTEM32\IS3Inet5.dll
+ 2008-06-26 14:54:04 90,112 ----a-r C:\WINDOWS\SYSTEM32\IS3Svc5.dll
+ 2008-06-26 14:55:56 372,736 ----a-r C:\WINDOWS\SYSTEM32\IS3UI5.dll
+ 2008-06-26 14:54:50 196,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Win325.dll
+ 2008-06-26 14:55:12 23,040 ----a-r C:\WINDOWS\SYSTEM32\IS3XDat5.dll
- 2008-07-31 22:17:22 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-08 06:59:05 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-07-31 22:17:22 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-08 06:59:05 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-07-03 19:41:10 258,048 ----a-r C:\WINDOWS\SYSTEM32\SZBase5.dll
+ 2008-07-03 19:40:46 401,408 ----a-r C:\WINDOWS\SYSTEM32\SZComp5.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [2008-05-22 09:59 156944]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10 536576]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdasd2.exe" [2008-08-08 02:51 619848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 02:07 200704]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 13:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-03 13:55 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 02:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe" [2008-08-08 02:51 566600]
"kkw_run.exe"="kkw_run.exe" [2005-12-15 16:00 106496 C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 10:43 118784 C:\WINDOWS\SYSTEM32\kmw_run.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"=
"C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe"=
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Filetopia3\\Filetopia.exe"=
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"=
"C:\\Program Files\\Tortun\\gui.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdasd2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-05-13 10:03]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys [2005-12-01 14:17]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2005-09-01 10:41]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2005-09-01 10:41]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2005-09-01 10:41]
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2005-08-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 09:40:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\kmw_show.exe
C:\WINDOWS\SYSTEM32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-08-08 9:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 13:52:27
ComboFix2.txt 2008-08-06 15:24:53

Pre-Run: 8,433,688,576 bytes free
Post-Run: 8,434,094,080 bytes free

289 --- E O F --- 2008-07-09 00:02:14

Blade81
2008-08-08, 20:28
And my brother installed all these "Anti-Malware" programs over night with my me knowing, but he did not do any fixes, because they are "free versions" and want money to upgrade to fix them.

Hi

Please make sure your brother doesn't make any other things by himself. Otherwise it's pretty hard to help. Now please uninstall those programs that were installed by him.


Upload following files to http://www.virustotal.com and post back the results:
C:\WINDOWS\SYSTEM32\DRIVERS\kgpfr2.cfg



Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\SYSTEM32\kltyxlyt.ini
C:\Documents and Settings\A\MediaTubeCodec_ver1.1463.0.exe



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Also the Kaspersky Online Scanner kept saying this -
"Please wait to update the virus definitions...
Kaspersky Online Scanner license has expired!"
and will not go any further. So I don't know what to do about that.

Try to run this (http://www.kaspersky.com/virusscanner) version of Kaspersky Online Scanner. Post back its report if you were



Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file, a fresh hjt log and above meantioned ComboFix resultant log in your next reply.




PS. I'll be absent from Saturday to Sunday.

grilledcheese
2008-08-08, 21:20
I get an Error when i search for C:\WINDOWS\SYSTEM32\DRIVERS\kgpfr2.cfg, its says it cannot be found, should i skip this step?

Blade81
2008-08-08, 22:17
Yes, skip over that one.

grilledcheese
2008-08-09, 23:09
Note: I couldnt find the earier ComboFix Log, so i ran new one i hope i didnt mess up anything for you. But here are the logs.



KASPERSKY ONLINE SCANNER 7 REPORT:
Friday, August 8, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 08, 2008 21:05:03
Records in database: 1070303
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics
Files scanned 143901
Threat name 4
Infected objects 4
Suspicious objects 0
Duration of the scan 02:11:45

File name Threat name Threats count
C:\Documents and Settings\A\My Documents\~Materia de Jill~\rеgedit.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ec 1
C:\Program Files\Symantec\LiveUpdate\DISreboot.exe Infected: not-a-virus:AdWare.Win32.Alibabar.t 1
C:\QooBox\Quarantine\C\Documents and Settings\A\MediaTubeCodec_ver1.1463.0.exe.vir Infected: Trojan-Downloader.Win32.Zlob.tbt 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\evjcwagk.dll.vir Infected: Trojan.Win32.Monder.duj 1
The selected area was scanned.

---------------------------------------------------------------------
Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 2

3:17:22 PM 8/9/2008
mbam-log-8-9-2008 (15-17-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175010
Time elapsed: 1 hour(s), 36 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\oinsearchtoolbar.oinsbarband (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oinsearchtoolbar.oinsbarband.1 (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\byXOhIBS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\evjcwagk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hgGwUoMf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mcsofvbm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tlhdip.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvVLdaa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\urqpnljK.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xxyYoOif.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yayvWqpP.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yayXQGVn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP698\A0767610.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP698\A0767611.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP701\A0771064.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP701\A0771068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP701\A0771074.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP701\A0771077.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP701\A0771078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP701\A0771079.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP701\A0771093.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP705\A0774314.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP705\A0774316.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP705\A0774320.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP705\A0774321.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ClickToFindandFixErrors_Intl.ico (Malware.Trace) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------


ComboFix Log:

ComboFix 08-08-08.01 - A 2008-08-08 9:27:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1016 [GMT -4:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\A\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\bsxtxqgy.dll
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\urqpnljK.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\zmiizg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com\ud.sol
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\SYSTEM32\ilhsknxy.ini
C:\WINDOWS\SYSTEM32\kgawcjve.ini
C:\WINDOWS\SYSTEM32\Kjlnpqru.ini
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\urqpnljK.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\ygqxtxsb.ini
C:\WINDOWS\system32\zmiizg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-08 09:39 . 2008-08-08 09:39 344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpfr2.cfg
2008-08-08 09:07 . 2008-08-08 09:07 63 --a------ C:\WINDOWS\av_affiliate.ini
2008-08-08 09:07 . 2008-08-08 09:07 43 --a------ C:\WINDOWS\as_affiliate.ini
2008-08-08 08:56 . 2008-08-08 09:38 201,320 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys.szcpf
2008-08-08 02:56 . 2008-08-08 02:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-08 02:56 . 2008-08-08 02:56 <DIR> d----c--- C:\Documents and Settings\A\Application Data\PC Tools
2008-08-08 02:56 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-08-08 02:56 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-08-08 02:56 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-08-08 02:56 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-08-08 02:51 . 2008-08-08 02:51 <DIR> d-------- C:\Program Files\CyberDefender
2008-08-07 19:15 . 2008-08-07 19:15 <DIR> d-------- C:\Program Files\Panicware
2008-08-07 18:24 . 2008-08-08 09:41 4,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpcpy.cfg
2008-08-07 18:23 . 2008-08-08 08:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\STOPzilla!
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-07 18:21 . 2008-08-08 09:42 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-07 11:43 . 2008-08-07 11:43 <DIR> d----c--- C:\Deckard
2008-08-05 14:31 . 2008-08-05 14:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49 . 2008-08-03 17:49 <DIR> d----c--- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31 . 2008-08-07 18:06 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-02 15:36 . 2008-08-02 15:36 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:22 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17 . 2008-08-01 18:17 <DIR> d----c--- C:\Documents and Settings\A\Application Data\ImgBurn
2008-08-01 16:22 . 2008-08-01 16:22 3,072 --ahsc--- C:\Thumbs.db
2008-08-01 13:19 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-08-01 13:19 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-08-01 13:19 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-08-01 13:19 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon_handler.ocx
2008-07-31 15:32 . 2008-08-01 12:24 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32 . 2008-07-31 15:32 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-07-31 15:32 . 2008-08-01 12:24 47,360 --a--c--- C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-07-31 10:06 . 2008-07-31 10:06 294 --ahs---- C:\WINDOWS\SYSTEM32\kltyxlyt.ini
2008-07-30 03:51 . 2008-07-30 03:51 65,536 ---hsc--- C:\Documents and Settings\A\MediaTubeCodec_ver1.1463.0.exe
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Program Files\Sun
2008-07-16 18:06 . 2008-07-16 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 13:38 7,304 ----a-w C:\WINDOWS\TMP0001.TMP
2008-08-08 13:07 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-06 14:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-05 14:16 --------- d-----w C:\Program Files\McAfee
2008-08-04 17:21 --------- d-----w C:\Program Files\Lx_cats
2008-08-01 20:23 --------- d-----w C:\Program Files\Tortun
2008-08-01 15:34 --------- d-----w C:\Program Files\Sony
2008-08-01 15:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 21:34 --------- d-----w C:\Program Files\Google
2008-07-31 20:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 20:30 --------- dc-h--w C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 20:27 --------- d-----w C:\Program Files\DriftCity
2008-07-31 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-07-31 20:01 --------- dc-h--r C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 19:58 --------- d-----w C:\Program Files\Java
2008-07-30 18:41 --------- dc----w C:\Documents and Settings\A\Application Data\Atari
2008-07-29 12:02 74,040 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 22:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-16 02:29 --------- d-----w C:\Program Files\World of Warcraft
2008-07-06 11:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 10:32 --------- dc----w C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-15 01:31 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-17 11:54 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-21 04:14 78,791 -c--a-w C:\Program Files\KBot.iss
2007-05-08 08:43 188,511 -c--a-w C:\Documents and Settings\A\test.exe
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\XUnleashedGUI.dll
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\rrnfu.dll
2007-05-08 08:42 450,560 -c--a-w C:\Documents and Settings\A\DX9Test.exe
2007-05-08 08:42 327,168 -c--a-w C:\Documents and Settings\A\XUnleashed.exe
2007-05-08 08:42 326,656 -c--a-w C:\Documents and Settings\A\XUnleashedControls.dll
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\XUnleashedTest.exe
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\kipih.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\XUStealthDriver.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\DX8Test.exe
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\XUnleashed.dll
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\ubgoe.dll
2006-12-11 21:07 3,320 -c--a-w C:\Documents and Settings\A\Application Data\wklnhst.dat
2005-12-13 15:02 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS

2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE

2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE

2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-06_11.23.21.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-08-08 09:44:30 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-08 09:44:30 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-08 09:44:30 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-13 14:03:58 34,432 ----a-r C:\WINDOWS\SYSTEM32\DRIVERS\SZKG.sys
+ 2008-06-26 14:50:04 708,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Base5.dll
+ 2008-06-26 14:56:46 364,544 ----a-r C:\WINDOWS\SYSTEM32\IS3DBA5.dll
+ 2008-06-26 14:55:36 61,440 ----a-r C:\WINDOWS\SYSTEM32\IS3Hks5.dll
+ 2008-06-26 14:56:58 126,976 ----a-r C:\WINDOWS\SYSTEM32\IS3HTUI5.dll
+ 2008-06-26 14:54:20 94,208 ----a-r C:\WINDOWS\SYSTEM32\IS3Inet5.dll
+ 2008-06-26 14:54:04 90,112 ----a-r C:\WINDOWS\SYSTEM32\IS3Svc5.dll
+ 2008-06-26 14:55:56 372,736 ----a-r C:\WINDOWS\SYSTEM32\IS3UI5.dll
+ 2008-06-26 14:54:50 196,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Win325.dll
+ 2008-06-26 14:55:12 23,040 ----a-r C:\WINDOWS\SYSTEM32\IS3XDat5.dll
- 2008-07-31 22:17:22 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-08 06:59:05 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-07-31 22:17:22 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-08 06:59:05 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-07-03 19:41:10 258,048 ----a-r C:\WINDOWS\SYSTEM32\SZBase5.dll
+ 2008-07-03 19:40:46 401,408 ----a-r C:\WINDOWS\SYSTEM32\SZComp5.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [2008-05-22 09:59 156944]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10 536576]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdasd2.exe" [2008-08-08 02:51 619848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 02:07 200704]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 13:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-03 13:55 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 02:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe" [2008-08-08 02:51 566600]
"kkw_run.exe"="kkw_run.exe" [2005-12-15 16:00 106496 C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 10:43 118784 C:\WINDOWS\SYSTEM32\kmw_run.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"=
"C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe"=
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Filetopia3\\Filetopia.exe"=
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"=
"C:\\Program Files\\Tortun\\gui.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdasd2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-05-13 10:03]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys [2005-12-01 14:17]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2005-09-01 10:41]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2005-09-01 10:41]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2005-09-01 10:41]
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2005-08-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 09:40:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\kmw_show.exe
C:\WINDOWS\SYSTEM32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-08-08 9:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 13:52:27
ComboFix2.txt 2008-08-06 15:24:53

Pre-Run: 8,433,688,576 bytes free
Post-Run: 8,434,094,080 bytes free

289 --- E O F --- 2008-07-09 00:02:14

--------------------------------------------------------------------------
HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:16 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\A\Local Settings\Temp\jkos-A\binaries\ScanningProcess.exe
C:\Documents and Settings\A\Local Settings\Temp\jkos-A\binaries\ScanningProcess.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\New Music Folder\FIX\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\SYSTEM32\TwcToolbarBho.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8093 bytes

Blade81
2008-08-10, 22:26
Hi

The ComboFix log was old one that you had already posted earlier. Could you post a fresh one, please?

Upload following file to http://www.virustotal.com and post back the results:
C:\Program Files\Symantec\LiveUpdate\DISreboot.exe


Delete C:\Documents and Settings\A\My Documents\~Materia de Jill~\rеgedit.exe file.

grilledcheese
2008-08-11, 18:47
Hello, and Thanks
Note: I uploaded the C:\Program Files\Symantec\LiveUpdate\DISreboot.exe, but nothing happened to report,
Also i couldn't find C:\Documents and Settings\A\My Documents\~Materia de Jill~\rеgedit.exe to delete it.
But here's a fresh ComboFix Log you requested.

ComboFix 08-08-10.04 - A 2008-08-11 11:14:27.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.989 [GMT -4:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com\ud.sol
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-11 04:58 . 2008-08-11 06:24 <DIR> d----c--- C:\Wrath of the Lich King Beta
2008-08-09 18:25 . 2008-08-09 18:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-09 18:25 . 2008-08-09 18:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-09 18:25 . 2008-08-09 19:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-08-09 18:25 . 2008-08-09 18:25 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-09 18:15 . 2008-08-09 18:15 <DIR> d-------- C:\WINDOWS\EHome
2008-08-09 18:09 . 2008-04-13 20:12 7,680 --a------ C:\WINDOWS\SYSTEM32\spdwnwxp.exe
2008-08-09 18:08 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\002736_.tmp
2008-08-09 13:09 . 2008-08-09 13:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 13:09 . 2008-08-09 13:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 13:09 . 2008-08-09 13:09 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Malwarebytes
2008-08-09 13:09 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-09 13:09 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-08 10:08 . 2008-08-08 10:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-08-08 10:08 . 2008-08-08 10:08 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-08 08:56 . 2008-08-08 09:38 201,320 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys.szcpf
2008-08-07 18:23 . 2008-08-08 08:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-07 18:21 . 2008-08-08 09:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-07 11:43 . 2008-08-07 11:43 <DIR> d----c--- C:\Deckard
2008-08-05 14:31 . 2008-08-05 14:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49 . 2008-08-03 17:49 <DIR> d----c--- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31 . 2008-08-08 11:16 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-02 15:36 . 2008-08-02 15:36 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:22 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17 . 2008-08-01 18:17 <DIR> d----c--- C:\Documents and Settings\A\Application Data\ImgBurn
2008-08-01 16:22 . 2008-08-01 16:22 3,072 --ahsc--- C:\Thumbs.db
2008-08-01 13:19 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-08-01 13:19 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-08-01 13:19 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-08-01 13:19 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon_handler.ocx
2008-07-31 15:32 . 2008-08-01 12:24 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32 . 2008-07-31 15:32 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-07-31 15:32 . 2008-08-01 12:24 47,360 --a--c--- C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Program Files\Sun
2008-07-16 18:06 . 2008-07-16 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 15:19 7,304 ----a-w C:\WINDOWS\TMP0001.TMP
2008-08-11 10:24 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-08-11 08:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-11 01:47 --------- d-----w C:\Program Files\World of Warcraft
2008-08-10 15:49 --------- d-----w C:\Program Files\Lx_cats
2008-08-10 15:42 74,040 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-08-08 15:09 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-06 14:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-05 14:16 --------- d-----w C:\Program Files\McAfee
2008-08-01 20:23 --------- d-----w C:\Program Files\Tortun
2008-08-01 15:34 --------- d-----w C:\Program Files\Sony
2008-07-31 21:34 --------- d-----w C:\Program Files\Google
2008-07-31 20:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 20:30 --------- dc-h--w C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 20:27 --------- d-----w C:\Program Files\DriftCity
2008-07-31 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-07-31 20:01 --------- dc-h--r C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 19:58 --------- d-----w C:\Program Files\Java
2008-07-30 18:41 --------- dc----w C:\Documents and Settings\A\Application Data\Atari
2008-07-16 22:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-06 11:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-16 10:32 --------- dc----w C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-15 01:31 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2007-08-17 11:54 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-21 04:14 78,791 -c--a-w C:\Program Files\KBot.iss
2007-05-08 08:43 188,511 -c--a-w C:\Documents and Settings\A\test.exe
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\XUnleashedGUI.dll
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\rrnfu.dll
2007-05-08 08:42 450,560 -c--a-w C:\Documents and Settings\A\DX9Test.exe
2007-05-08 08:42 327,168 -c--a-w C:\Documents and Settings\A\XUnleashed.exe
2007-05-08 08:42 326,656 -c--a-w C:\Documents and Settings\A\XUnleashedControls.dll
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\XUnleashedTest.exe
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\kipih.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\XUStealthDriver.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\DX8Test.exe
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\XUnleashed.dll
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\ubgoe.dll
2006-12-11 21:07 3,320 -c--a-w C:\Documents and Settings\A\Application Data\wklnhst.dat
2005-12-13 15:02 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-06_11.23.21.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-12-28 08:59:12 78,543 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\OfflineCache\index.dat
+ 2008-08-09 23:17:11 78,543 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\OfflineCache\index.dat
- 2004-12-28 08:59:12 4,284 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
+ 2008-08-09 23:17:11 4,284 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-08-11 14:57:53 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-11 14:57:53 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-09 22:35:10 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008080920080810\index.dat
+ 2008-05-09 10:53:39 180,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\scrobj.dll
+ 2008-05-09 10:53:40 172,032 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\scrrun.dll
+ 2008-05-09 10:53:40 90,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wshext.dll
- 2008-07-17 11:03:39 250,288 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-08-09 23:10:32 250,288 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-11 19:12:48 1,468,968 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
- 2008-07-31 22:17:22 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-09 23:15:37 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-07-31 22:17:22 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-09 23:15:37 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2004-08-04 11:00:00 36,096 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0031\DriverFiles\i386\intelppm.sys
+ 2004-08-04 11:00:00 36,096 ----a-w C:\WINDOWS\SYSTEM32\ReinstallBackups\0032\DriverFiles\i386\intelppm.sys
- 2006-09-25 22:58:48 23,856 -c--a-w C:\WINDOWS\SYSTEM32\spupdsvc.exe
+ 2007-08-11 00:46:18 26,488 ----a-w C:\WINDOWS\SYSTEM32\spupdsvc.exe
- 2007-01-19 20:15:24 74,802 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2008-04-14 00:12:50 74,802 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
- 2007-01-19 20:15:24 995,383 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll
+ 2008-04-14 00:12:50 995,383 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll
- 2007-01-19 20:15:24 1,011,774 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
+ 2008-04-14 00:12:50 1,011,774 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
- 2007-01-19 20:15:24 401,462 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll
+ 2008-04-14 00:12:50 401,462 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll
+ 2008-04-14 00:12:51 1,054,208 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
+ 2008-04-14 00:12:47 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\GdiPlus.dll
- 2004-08-04 11:00:00 853,504 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\DXMRTP.DLL
+ 2008-04-14 00:12:49 853,504 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
- 2004-08-04 11:00:00 991,232 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\RTCDLL.DLL
+ 2008-04-14 00:12:50 991,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
- 2004-08-04 11:00:00 132,096 -c--a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\RTCRES.DLL
+ 2008-04-13 18:26:33 132,096 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [2008-05-22 09:59 156944]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 02:07 200704]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 13:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-03 13:55 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 02:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"kkw_run.exe"="kkw_run.exe" [2005-12-15 16:00 106496 C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 10:43 118784 C:\WINDOWS\SYSTEM32\kmw_run.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"=
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Filetopia3\\Filetopia.exe"=
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"=
"C:\\Program Files\\Tortun\\gui.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys [2005-12-01 14:17]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2005-09-01 10:41]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2005-09-01 10:41]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2005-09-01 10:41]
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2005-08-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\A\Application Data\Mozilla\Firefox\Profiles\gu7b4wtp.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www6.comcast.net/a/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 11:21:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\kmw_show.exe
C:\WINDOWS\SYSTEM32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\update\update.exe
.
**************************************************************************
.
Completion time: 2008-08-11 11:34:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-11 15:33:31
ComboFix2.txt 2008-08-09 19:39:47
ComboFix3.txt 2008-08-08 19:39:20
ComboFix4.txt 2008-08-08 13:53:41
ComboFix5.txt 2008-08-11 15:13:28

Pre-Run: 1,623,629,824 bytes free
Post-Run: 1,392,508,928 bytes free

274 --- E O F --- 2008-08-10 07:03:19

Blade81
2008-08-11, 19:55
Note: I uploaded the C:\Program Files\Symantec\LiveUpdate\DISreboot.exe, but nothing happened to report
Hi

What do you mean by that? What browser did you use and was javascript enabled (check that especially if you use Firefox and NoScript addon)?



Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\Documents and Settings\A\My Documents\~Materia de Jill~\rеgedit.exe
C:\WINDOWS\SYSTEM32\spdwnwxp.exe
C:\WINDOWS\002736_.tmp



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. Answer also to my question.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

grilledcheese
2008-08-11, 21:08
Oh, well the file went into the folder, i thought you meant it was going to do something and then have a log to report,but yes i use Firefox and yes, javascript was enabled.

ComboFix Log:

ComboFix 08-08-10.04 - A 2008-08-11 13:47:15.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.909 [GMT -4:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\A\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\002736_.tmp
C:\WINDOWS\SYSTEM32\spdwnwxp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\002736_.tmp
C:\WINDOWS\SYSTEM32\spdwnwxp.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-11 11:33 . 2008-08-11 11:37 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-11 04:58 . 2008-08-11 13:40 <DIR> d----c--- C:\Wrath of the Lich King Beta
2008-08-09 18:25 . 2008-08-09 18:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-09 18:25 . 2008-08-09 18:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-09 18:25 . 2008-08-09 19:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-08-09 18:25 . 2008-08-09 18:25 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-09 18:15 . 2008-08-09 18:15 <DIR> d-------- C:\WINDOWS\EHome
2008-08-09 13:09 . 2008-08-09 13:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 13:09 . 2008-08-09 13:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 13:09 . 2008-08-09 13:09 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Malwarebytes
2008-08-09 13:09 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-09 13:09 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-08 10:08 . 2008-08-08 10:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-08-08 10:08 . 2008-08-08 10:08 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-08 08:56 . 2008-08-08 09:38 201,320 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys.szcpf
2008-08-07 18:23 . 2008-08-08 08:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-07 18:21 . 2008-08-08 09:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-07 11:43 . 2008-08-07 11:43 <DIR> d----c--- C:\Deckard
2008-08-05 14:31 . 2008-08-05 14:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49 . 2008-08-03 17:49 <DIR> d----c--- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31 . 2008-08-08 11:16 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-02 15:36 . 2008-08-02 15:36 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:22 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17 . 2008-08-01 18:17 <DIR> d----c--- C:\Documents and Settings\A\Application Data\ImgBurn
2008-08-01 16:22 . 2008-08-01 16:22 3,072 --ahsc--- C:\Thumbs.db
2008-08-01 13:19 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-08-01 13:19 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-08-01 13:19 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-08-01 13:19 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon_handler.ocx
2008-07-31 15:32 . 2008-08-01 12:24 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32 . 2008-07-31 15:32 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-07-31 15:32 . 2008-08-01 12:24 47,360 --a--c--- C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Program Files\Sun
2008-07-16 18:06 . 2008-07-16 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 15:19 7,304 ----a-w C:\WINDOWS\TMP0001.TMP
2008-08-11 10:24 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-08-11 08:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-11 01:47 --------- d-----w C:\Program Files\World of Warcraft
2008-08-10 15:49 --------- d-----w C:\Program Files\Lx_cats
2008-08-10 15:42 74,040 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-08-08 15:09 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-06 14:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-05 14:16 --------- d-----w C:\Program Files\McAfee
2008-08-01 20:23 --------- d-----w C:\Program Files\Tortun
2008-08-01 15:34 --------- d-----w C:\Program Files\Sony
2008-07-31 21:34 --------- d-----w C:\Program Files\Google
2008-07-31 20:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 20:30 --------- dc-h--w C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 20:27 --------- d-----w C:\Program Files\DriftCity
2008-07-31 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-07-31 20:01 --------- dc-h--r C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 19:58 --------- d-----w C:\Program Files\Java
2008-07-30 18:41 --------- dc----w C:\Documents and Settings\A\Application Data\Atari
2008-07-16 22:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-06 11:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-16 10:32 --------- dc----w C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-15 01:31 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2007-08-17 11:54 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-21 04:14 78,791 -c--a-w C:\Program Files\KBot.iss
2007-05-08 08:43 188,511 -c--a-w C:\Documents and Settings\A\test.exe
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\XUnleashedGUI.dll
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\rrnfu.dll
2007-05-08 08:42 450,560 -c--a-w C:\Documents and Settings\A\DX9Test.exe
2007-05-08 08:42 327,168 -c--a-w C:\Documents and Settings\A\XUnleashed.exe
2007-05-08 08:42 326,656 -c--a-w C:\Documents and Settings\A\XUnleashedControls.dll
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\XUnleashedTest.exe
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\kipih.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\XUStealthDriver.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\DX8Test.exe
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\XUnleashed.dll
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\ubgoe.dll
2006-12-11 21:07 3,320 -c--a-w C:\Documents and Settings\A\Application Data\wklnhst.dat
2005-12-13 15:02 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [2008-05-22 09:59 156944]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 02:07 200704]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 13:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-03 13:55 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 02:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"kkw_run.exe"="kkw_run.exe" [2005-12-15 16:00 106496 C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 10:43 118784 C:\WINDOWS\SYSTEM32\kmw_run.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"=
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Filetopia3\\Filetopia.exe"=
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"=
"C:\\Program Files\\Tortun\\gui.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys [2005-12-01 14:17]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2005-09-01 10:41]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2005-09-01 10:41]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2005-09-01 10:41]
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2005-08-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 13:51:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-11 13:53:12
ComboFix-quarantined-files.txt 2008-08-11 17:52:48
ComboFix2.txt 2008-08-11 15:34:49
ComboFix3.txt 2008-08-09 19:39:47
ComboFix4.txt 2008-08-08 19:39:20
ComboFix5.txt 2008-08-11 17:46:33

Pre-Run: 4,342,923,264 bytes free
Post-Run: 4,333,330,432 bytes free

201 --- E O F --- 2008-08-10 07:03:19


-----------------------------------------------------

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:42 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\New Music Folder\FIX\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\SYSTEM32\TwcToolbarBho.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7924 bytes

Blade81
2008-08-11, 21:53
Oh, well the file went into the folder, i thought you meant it was going to do something and then have a log to report,but yes i use Firefox and yes, javascript was enabled.
Hi

It should go like this:
1. Click browse and navigate to the file you want to upload for checking (C:\Program Files\Symantec\LiveUpdate\DISreboot.exe).
2. When the path is correctly in the field click send file and wait for the report to be shown on that very same web site.

If that still doesn't work try uploading the file to http://virusscan.jotti.org

grilledcheese
2008-08-11, 22:38
oh ok sorry, i was confused to how to work it but i now i think i did it right, here are the results.

File DISreboot.exe received on 08.11.2008 18:20:42 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.12.0 2008.08.11 -
AntiVir 7.8.1.19 2008.08.11 -
Authentium 5.1.0.4 2008.08.11 -
Avast 4.8.1195.0 2008.08.11 Win32:Adware-gen
AVG 8.0.0.156 2008.08.11 -
BitDefender 7.2 2008.08.11 -
CAT-QuickHeal 9.50 2008.08.11 -
ClamAV 0.93.1 2008.08.11 -
DrWeb 4.44.0.09170 2008.08.11 -
eSafe 7.0.17.0 2008.08.11 -
eTrust-Vet 31.6.6023 2008.08.11 -
Ewido 4.0 2008.08.1 -
F-Prot 4.4.4.56 2008.08.11 -
F-Secure 7.60.13501.0 2008.08.11 AdWare.Win32.Alibabar.t
Fortinet 3.14.0.0 2008.08.11 -
GData 2.0.7306.1023 2008.08.11 Win32:Adware-gen
Ikarus T3.1.1.34.0 2008.08.11 -
K7AntiVirus 7.10.411 2008.08.11 not-a-virus:AdWare.Win32.Alibabar.t
Kaspersky 7.0.0.125 2008.08.11 not-a-virus:AdWare.Win32.Alibabar.t
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.11 -
NOD32v2 3346 2008.08.11 -
Norman 5.80.02 2008.08.11 -
Panda 9.0.0.4 2008.08.10 -
PCTools 4.4.2.0 2008.08.11 -
Prevx1 V2 2008.08.11 -
Rising 20.57.02.00 2008.08.11 -
Sophos 4.32.0 2008.08.11 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.11 -
TheHacker 6.2.96.395 2008.08.08 Adware/Alibabar.t
TrendMicro 8.700.0.1004 2008.08.11 -
VBA32 3.12.8.3 2008.08.11 AdWare.Win32.Alibabar.t
ViRobot 2008.8.11.1331 2008.08.11 Adware.Alibabar.36864.A
VirusBuster 4.5.11.0 2008.08.11 -
Webwasher-Gateway 6.6.2 2008.08.11 -
Additional information
File size: 36864 bytes
MD5...: 620cc2d873dd79db0682e5839a467c46
SHA1..: 16cd1249912ea7876ab78857d70bd86299e5662d
SHA256: 9d6e7914667ecea786e6812e916812d3baa4828d9eca46d436c9ef921d8a8f04
SHA512: 2e47f7c53b310c50c284e430aca980a4415c7e4d043b18e4db3c41d0c55c7145<br>742d88ef935174433bb0bceb2028f8ab8f9d8750e084dae8e6add957b03c8c51
PEiD..: Armadillo v1.71
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x401010<br>timedatestamp.....: 0x40d0c8f9 (Wed Jun 16 22:26:01 2004)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x35be 0x4000 5.96 fd114ca37814c8f917192f9d154837a6<br>.rdata 0x5000 0x7a0 0x1000 3.17 c36f4345a0341b83304bb322e33a1435<br>.data 0x6000 0x29dc 0x3000 0.36 f0547d9d0d02570a9db6aa7cb294c69e<br><br>( 1 imports ) <br>&gt; KERNEL32.dll: GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, WriteFile, GetCPInfo, GetACP, GetOEMCP, HeapAlloc, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTy

Blade81
2008-08-11, 23:38
Hi

Delete C:\Program Files\Symantec\LiveUpdate\DISreboot.exe file.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis





Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK




Uinstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/).


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download Spybot
Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)
Spybot can be downloaded at this location (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)


hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

grilledcheese
2008-08-12, 21:06
Well, First off I like to say THANK YOU!:heart: heh.

But everything seems to be back to the way it was, no more annoying pop-ups, my computer seems to be running like it used too. I haven't noticed any problems so far. I followed all the above steps and downloading the anit-malware programs as i type this.

Again many thanks for your time and help.:bigthumb:

Blade81
2008-08-12, 22:10
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.